Authentication

Every API request must include a valid platform API token. Tokens use Bearer authentication and are scoped to your organization.

Create an API token

  1. Log in to the IBEE portal.
  2. Go to Settings → Platform API Tokens.
  3. Click Create Token.
  4. Give the token a name, select the scopes it needs, and choose a workspace policy.
  5. Click Create. Copy the token immediately — it is shown only once.

Store your token securely. If you lose it, revoke it and create a new one.

Using your token

Include the token in the Authorization header as a Bearer token:

$curl https://api.ibee.ai/v1/object-storage/buckets?workspace_id=907479 \
> -H "Authorization: Bearer ibee_live_xxxxxxxxxxxx"

Tokens follow the format ibee_live_xxx for production or ibee_test_xxx for test environments.

Scopes

Each token is granted specific scopes that control which resources it can access. Select the minimum scopes your integration needs.

ScopePermission
secret-store.readList stores, get secret metadata and values.
secret-store.writeCreate stores, create and update secrets.
object-storage.readList and read buckets.
object-storage.writeCreate buckets.
object-storage.deleteDelete buckets.
vm.readList and get virtual machines and operations.
vm.writeCreate, update, delete VMs and run power actions.

A request to an endpoint that requires a scope the token does not have returns 403 Forbidden.

Workspace policies

When you create a token, you choose how it accesses workspaces:

PolicyBehavior
Entire organizationThe token can access any workspace in the organization.
Specific workspacesThe token can only access the workspaces you select. Requests to other workspaces return 403 Forbidden.

Use Specific workspaces when you want to limit a CI/CD pipeline or integration to a single environment (for example, only staging).

Revoking tokens

To revoke a token:

  1. Go to Settings → Platform API Tokens in the portal.
  2. Find the token and click Revoke.

Revoked tokens are rejected immediately on all subsequent requests.

Error responses

StatusMeaning
401 UnauthorizedThe token is missing, malformed, or expired.
403 ForbiddenThe token does not have the required scope or is not allowed to access the requested workspace.