Every request to the Folio API must include an API key in the Authorization header:
Authorization: Bearer sk_test_...
Key types
| Prefix | Environment | Notes |
|---|
sk_test_ | Sandbox | Safe for local development and CI. Results are not billable. |
sk_live_ | Production | Use only in server-side code; protect like a password. |
Obtaining a key
API keys are managed at the organisation level in the Folio dashboard. Every member of an org can create and revoke keys, but keys are not scoped to individual users — they represent the org as a whole.
Errors
A missing or invalid key returns 401 Unauthorized with the standard error envelope:
{
"error": {
"type": "auth_error",
"code": "invalid_api_key",
"message": "The API key provided is invalid or has been revoked."
}
}
Security
Never expose an API key in client-side code, public repositories, or logs. Keys carry full API access for your organisation.
- Pass keys via environment variables (
FOLIO_API_KEY) rather than hard-coding them.
- Rotate keys immediately if you suspect exposure — revoke the old key in the dashboard and issue a new one.
- Use
sk_test_ keys in non-production environments so that accidental exposure doesn’t affect live data.
