Reeve
Developers

Authentication & API keys

Authenticate to the Reeve API with a Bearer API key — how to create, send, and revoke keys, plus the request headers Reeve uses.

Authentication & API keys

Every request to the Reeve API is authenticated with an API key, sent as a Bearer token. Keys are created in the Reeve app, scoped to your app/organization, shown once, and revocable.

This page covers API authentication for calling https://api.meetreeve.com. For signing into the Reeve web app itself (magic link, Google, email + password), see Getting started.

Sending your key

Send the key in the Authorization header as a Bearer token:

curl https://api.meetreeve.com/api/crm/v1/contacts \
  -H "Authorization: Bearer rcm_your_api_key"

Reeve API keys are prefixed with rcm_. Requests without a valid key are rejected with 401.

Creating a key

Open the Reeve app and go to your app / developer settings.

Create a new API key and give it a label so you can tell your keys apart later.

Copy the key now — it's shown only once at creation and never displayed again. Store it somewhere safe (a secrets manager or an environment variable).

export REEVE_API_KEY="rcm_..."

curl https://api.meetreeve.com/api/crm/v1/stats \
  -H "Authorization: Bearer $REEVE_API_KEY"

Treat API keys like passwords. Never commit them to version control, embed them in client-side code, or paste them into shared docs. Use environment variables or a secrets manager.

How keys work

  • Hashed at rest. Reeve stores only a SHA-256 hash of your key, never the plaintext. That's why the key is shown once — there's no way to recover it later. If you lose it, create a new one.
  • Multiple keys per app. You can issue more than one key (for example, one per environment) and label each.
  • Revocable. Revoke a key from the Reeve app at any time. Revoked keys immediately stop authenticating; other keys keep working.
  • Rotating keys. To rotate, create a new key, switch your integration to it, then revoke the old one.

Request headers

Beyond the Authorization header, Reeve API requests may include these headers:

HeaderPurpose
Authorization: Bearer rcm_…Required. Your API key.
X-Org-IdOptional. Targets a specific organization when your key has access to more than one.
Idempotency-KeyOptional, on write endpoints. A unique value you supply so a retried request isn't applied twice.
Content-Type: application/jsonRequired on requests with a JSON body.

You may also see X-Reeve-Service-Token referenced in the API schemas. That header is for internal service-to-service calls inside the Reeve backend and is not the developer path — public integrations authenticate with an API key as shown above.

Idempotency

Write endpoints accept an optional Idempotency-Key header. Supply a unique value (a UUID is a good choice) and Reeve will ensure the operation is applied at most once even if the request is retried after a network error:

curl -X POST https://api.meetreeve.com/api/crm/v1/contacts \
  -H "Authorization: Bearer $REEVE_API_KEY" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{ "email": "jane@acme.com" }'

Errors

Authentication and validation failures use standard HTTP status codes:

StatusMeaning
401Missing, malformed, or revoked API key
403Authenticated, but not allowed to access the requested resource
422Request body or parameters failed validation

See the API reference for the per-endpoint request and response shapes.

On this page