Create a scoped key
- Sign in to Bily.
- Select the store this workload may access.
- Open Settings.
- Open MCP.
- Under Access key fallback, enter a descriptive name and expiration.
- Create the key and copy its full value immediately.
Add the key to requests
Send the key in the recommendedx-api-key header:
Keep keys protected
- Keep each key in server-side secret storage.
- Do not log request headers that may contain a key.
- Match the expiration to the workload’s lifecycle.
- Create a replacement before revoking a production key.
- Revoke a key immediately if it may have been exposed.
Fix authentication and permission errors
Each key includes the permissions available through the stable customer API. It also carries the selected store and organization scope. Bily rejects requests for another store or organization. An action can also return403 when the caller lacks its required permission.
A 401 means the key is missing, expired, revoked, or invalid. Replace or rotate it.
A 403 means the request is authenticated but cannot access the requested operation or scope. If the error requires a store-scoped key, select the intended store and create a replacement.
Make your first request
Confirm the authenticated user, organization, and store in one request.