Every API request authenticates with a bearer token:
curl https://api.lavendly.ai/v1/workflows \
-H "Authorization: Bearer lv_live_…"
| Header | Required | Purpose |
|---|
Authorization | Yes | Bearer <api_key>. Scopes the request to your account. |
Idempotency-Key | No | Opaque string. Same value within 5 min returns the same response. |
Getting an API key
Sign in at lavendly.ai and
create a key from your dashboard. Keys are prefixed lv_live_ for
production and lv_test_ for the sandbox.
API keys are secrets. Treat them like passwords. The platform never
emails them back to you; if you lose one, rotate it from the
dashboard.
Token scopes
A single API key grants access to everything in your account. We don’t
ship fine-grained per-operation scopes yet, if you need them for a
specific integration, get in touch.
When you’re embedding Lavendly in another product
If you’re letting your own users render through your Lavendly
account, do not ship the key to the browser. Put your own auth
in front of any path that touches Lavendly and call the API
server-side with your key.
Recommended: idempotency on every paid call
Every mutating endpoint that costs money accepts Idempotency-Key.
The header value is scoped per-account and cached for 5 minutes, a
retry returns the same response, byte-for-byte, without re-executing
the mutation.
See Idempotency for the full pattern. 
