Obvious/Help Center

Authentication

Published February 27, 2026 · Last updated March 5, 2026 · 2 min read

All requests to the Obvious API require authentication via an API key passed as a Bearer token in the Authorization header.

Generate an API key

API keys are created in your workspace settings. Only workspace owners and admins can create and manage keys.

  1. Open Settings → External Access.

  2. Click Create External Access.

  3. Enter a name for the key (e.g., "Production Integration").

  4. Click Create. The full API key appears once — copy it immediately.

Warning: The key is displayed only at creation. Obvious stores a hash, not the raw key. If you lose it, delete the key and create a new one.

Key format

API keys use the prefix obv_ followed by a 64-character hex string:

obv_a1b2c3d4e5f6...

The prefix identifies the key type. The first 8 characters after obv_ serve as a visible identifier in the dashboard.

Authenticate a request

Include the key in the Authorization header using the Bearer scheme:

Authorization: Bearer obv_your_api_key_here

Example: list templates

curl -X GET https://api.app.obvious.ai/api/v1/templates \
  -H "Authorization: Bearer obv_your_api_key_here"

A successful request returns 200 with the response body. An invalid or missing key returns 401 Unauthorized.

Key scoping and permissions

Each API key is scoped to the workspace where it was created. The key inherits the permissions of the user who created it — it can access any resource that user can access within the workspace.

If the user who created a key is removed from the workspace or deactivated, the key stops working.

Managing keys

From Settings → External Access, you can:

  • View all active keys with their prefix, creator, and last-used timestamp.

  • Filter keys by name.

  • Delete a key by clicking the menu and selecting Remove. Deletion is immediate and permanent — any application using that key loses access instantly.

There is a limit of 50 API keys per workspace.

Security recommendations

  • Store keys in environment variables or a secrets manager. Don't commit them to source control.

  • Create separate keys for each integration so you can revoke one without affecting others.

  • Delete unused keys regularly. The "last used" timestamp on each key helps identify stale credentials.

  • Rotate keys periodically by creating a new key, updating your integration, then deleting the old one.

Was this helpful?