Skip to main content
Use a Bily API key to give trusted server workloads scoped access. Keep the key out of browser JavaScript, mobile application code, public repositories, and client-visible environment variables.

Create a scoped key

  1. Sign in to Bily.
  2. Select the store this workload may access.
  3. Open Settings.
  4. Open MCP.
  5. Under Access key fallback, enter a descriptive name and expiration.
  6. Create the key and copy its full value immediately.
Bily shows the full key once. Save it in your deployment platform’s secret manager. The key uses the selected store and its organization as its default API scope.
Replace any older settings-generated fallback key that lacks store scope. Select the intended store, create a new key, and update the workload.Revoke the older key after the replacement passes a read-only GET /context check.
Create one key for each environment and workload. Names such as reporting-production and catalog-sync-staging simplify rotation and audit review.

Add the key to requests

Send the key in the recommended x-api-key header:
curl --request GET \
  --url https://app.bily.ai/api/customer/v1/context \
  --header "x-api-key: $BILY_API_KEY"
You can also use Bearer authentication:
Authorization: Bearer <BILY_API_KEY>
Choose one authentication method for each request.

Keep keys protected

  • Keep each key in server-side secret storage.
  • Do not log request headers that may contain a key.
  • Match the expiration to the workload’s lifecycle.
  • Create a replacement before revoking a production key.
  • Revoke a key immediately if it may have been exposed.

Fix authentication and permission errors

Each key includes the permissions available through the stable customer API. It also carries the selected store and organization scope. Bily rejects requests for another store or organization. An action can also return 403 when the caller lacks its required permission. A 401 means the key is missing, expired, revoked, or invalid. Replace or rotate it. A 403 means the request is authenticated but cannot access the requested operation or scope. If the error requires a store-scoped key, select the intended store and create a replacement.

Make your first request

Confirm the authenticated user, organization, and store in one request.