Authentication

The ExaRoutes API uses workspace-level API keys. Create and manage keys from the dashboard at Settings → API keys.

Key format

exr_live_<random>      # production
exr_test_<random>      # staging

Each key is bound to one workspace and one subscription. A key can do everything that subscription’s plan allows for QR codes. There are no per-key scopes: a key is full-access for its workspace, so treat it like a password.

Sending the key

Pass the key as a Bearer token in the Authorization header on every request:

curl https://api.exaroutes.com/api/qr/codes \
  -H "Authorization: Bearer exr_live_..."

A request with no Authorization: Bearer header is rejected with 401.

Key rotation

Rotate a key at any time from the dashboard. The old key keeps working for 24 hours after rotation, so you can roll the new key out to your integrations without downtime. After the grace window the old key stops authenticating.

Keeping keys safe

Never embed a key in client-side code, a mobile app, or a public repository. It is a full-access credential.
Use exr_test_ keys against staging and exr_live_ keys against production.
If a key leaks, rotate it immediately from the dashboard, or revoke it outright.

Overview QR endpoints