Authentication

API key authentication for every request. No SDK, no OAuth flow for your callers.

API Key

Every API request must include your API key in the X-Api-Key header. Your key is tenant-scoped — it cannot access another tenant's resources.

curl https://cooplocker.com/api/v1/Reservation/activeReservations \
  -H "X-Api-Key: YOUR_API_KEY"

Get your key: Sign in at cooplocker.com and it appears on your dashboard immediately. No email confirmation step.

Getting your API key

After signing in with Google, your default API key is shown on the dashboard. You can generate additional keys (up to your tier limit) and give each a label so you can tell in the event stream which key made which reservation.

Tier	API keys
Free	1 (default only)
Starter	10
Pro	100
Enterprise	Unlimited

Rotating a key

Keys can be rotated from the dashboard. Rotating a key immediately invalidates the old value — any in-flight requests using the old key will receive 401 Unauthorized. Update your application before rotating in production.

Key labels and event attribution

When you create an API key you can give it a label (e.g. worker-prod, staging-tests). That label appears in the apiKeyLabel field of every SSE event emitted by requests using that key, making it easy to attribute activity in the event stream to a specific caller.

JWT exchange (Starter+)

If you already issue JWTs to your own users, you can exchange a valid JWT for a short-lived Coop Locker token instead of embedding an API key in each client. This lets you scope reservations to individual end-users without creating one API key per user.

POST /api/v1/auth/token
Content-Type: application/json

{
  "jwt": "eyJ..."
}

Returns a short-lived bearer token accepted in the X-Api-Key header.

Availability: JWT exchange requires Starter tier or above. Free tenants must use a static API key.

What the key does NOT grant

Access to another tenant's resources — every operation is isolated by tenant
Access to the dashboard — the dashboard uses Google OAuth cookies, not API keys
Admin operations — cross-tenant admin endpoints require a separate admin identity check

Rate limiting and tier identity

Your tier (Free / Starter / Pro / Enterprise) is derived from your API key at request time. The rate limiter partitions by {tenantId}:{tier}:{read|write} — reads (GET + HEAD + check POSTs) have a 5× higher limit than writes. See the Errors page for 429 response details.