Authentication

Owner API keys, headers, and workspace scope.

Bolt Sequencer exposes workspace HTTP APIs on the app origin (https://app.boltsequencer.com by default). Integrators use an owner API key — not browser session cookies.

API keys

Create and revoke keys in the product app: Settings → Account → API keys.
You must be an owner in at least one workspace to manage keys.
One active key per account. Revoke the current key before generating a replacement.
The plaintext secret is shown once on create (bs_live_…). Store it securely.

Required headers

Every workspace-scoped request must include:

Header	Value
`Authorization`	`Bearer bs_live_<secret>`
`X-Workspace-Id`	UUID of a workspace where your account is owner

Use Content-Type: application/json for JSON bodies.

Bearer vs session

If you send Authorization: Bearer bs_live_…, the server uses the API key path only — a valid session cookie is not used as a fallback when the Bearer header is present.
When using the web app in a browser, omit Authorization and rely on the session cookie.
When automating, send only the API key (do not rely on cookies).

Effective permissions

The key acts as workspace owner on the workspace given by X-Workspace-Id. That is full owner capability on Bearer-enabled routes: leads, campaigns, segments, blocklists, connected inboxes (SMTP/SES — not Google/Microsoft OAuth connect), unified inbox, monitoring, dashboard, and analytics exports.

Treat keys like root automation credentials. Rotate by revoking and creating a new key.

Key management routes (session only)

These routes require a signed-in browser session — not available with API keys:

GET / POST /api/user/api-keys
DELETE /api/user/api-keys/[id]

Google and Microsoft inboxes

OAuth connect flows (/api/inboxes/oauth/google|microsoft/*) are browser-only. Create SMTP or SES inboxes via the API; connect Gmail/Outlook in the app UI.