Authentication

How API authentication works with API keys.

All Unmarkdown™ API endpoints require authentication via API keys, with one exception: the Demo Publish endpoint, which requires no authentication.

API Key Format

API keys follow a predictable format:

um_<64 hexadecimal characters>

Example: um_a1b2c3d4e5f6... (68 characters total).

The um_ prefix makes it easy to identify Unmarkdown™ keys in your codebase and to configure secret scanners.

Each account can have up to 2 active API keys. This allows you to rotate keys without downtime.

Pass your API key in the Authorization header as a Bearer token:

curl https://api.unmarkdown.com/v1/documents \
  -H "Authorization: Bearer um_your_api_key_here"

const res = await fetch('https://api.unmarkdown.com/v1/documents', {
  headers: {
    'Authorization': 'Bearer um_your_api_key_here'
  }
});

import requests

res = requests.get(
    'https://api.unmarkdown.com/v1/documents',
    headers={'Authorization': 'Bearer um_your_api_key_here'}
)

Hashed storage. API keys are hashed with SHA-256 before storage. The raw key is never saved on the server.
One-time display. The full key is shown only at creation time. If you lose it, delete the key and create a new one.
Never logged. API keys are excluded from server logs and error reports.
HTTPS only. All API requests must use HTTPS. HTTP requests are rejected.

To rotate a key without downtime:

Error	Cause	Solution
`Missing Authorization header`	No header sent	Add `Authorization: Bearer um_...` header
`Invalid Authorization format`	Wrong format	Use `Bearer <key>`, not `Basic` or raw key
`Invalid or revoked API key`	Key deleted or wrong	Check the key is correct and active in Settings

WARNING

Never expose your API key in client-side code, public repositories, or URLs. Keep it in environment variables or a secrets manager.