Authentication
API keys
The Business API authenticates server-to-server with a scoped API key — a Bearer credential bound to a single business, accepted only over HTTPS.
- Auth
- Bearer
- Binding
- One business
- Transport
- HTTPS
The key model
Send your key in the Authorization header as a Bearer token. There's no user session — the key authenticates the request on its own.
A key only works on its own business's handle endpoint; presenting it elsewhere is refused.
Create and manage keys in the business admin under Settings → API keys: name a key, grant it scopes, and copy its secret once at creation. Treat the secret like a password — store it server-side and rotate it if it leaks.
curl https://business.sessions.website/@<handle>/api/graphql \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer sk_live_…' \
--data '{"query":"{ activeBusiness { id name } }"}'Scopes
A key is granted one or more scopes. A request that touches a field outside its scopes is refused. Scopes available today:
participants:readreadregistrations:readreadproducts:readreadpurchases:readreadwebhooks:readreadwebhooks:writewriteUsing a key
The Business GraphQL API is the surface these keys unlock. Business GraphQL guide