Authentication & API keys
Authenticate to the Reeve API with a Bearer API key — how to create, send, and revoke keys, plus the request headers Reeve uses.
Authentication & API keys
Every request to the Reeve API is authenticated with an API key, sent as a Bearer token. Keys are created in the Reeve app, scoped to your app/organization, shown once, and revocable.
This page covers API authentication for calling https://api.meetreeve.com. For signing into the Reeve web app itself (magic link, Google, email + password), see Getting started.
Sending your key
Send the key in the Authorization header as a Bearer token:
curl https://api.meetreeve.com/api/crm/v1/contacts \
-H "Authorization: Bearer rcm_your_api_key"Reeve API keys are prefixed with rcm_. Requests without a valid key are rejected with 401.
Creating a key
Open the Reeve app and go to your app / developer settings.
Create a new API key and give it a label so you can tell your keys apart later.
Copy the key now — it's shown only once at creation and never displayed again. Store it somewhere safe (a secrets manager or an environment variable).
export REEVE_API_KEY="rcm_..."
curl https://api.meetreeve.com/api/crm/v1/stats \
-H "Authorization: Bearer $REEVE_API_KEY"Treat API keys like passwords. Never commit them to version control, embed them in client-side code, or paste them into shared docs. Use environment variables or a secrets manager.
How keys work
- Hashed at rest. Reeve stores only a SHA-256 hash of your key, never the plaintext. That's why the key is shown once — there's no way to recover it later. If you lose it, create a new one.
- Multiple keys per app. You can issue more than one key (for example, one per environment) and label each.
- Revocable. Revoke a key from the Reeve app at any time. Revoked keys immediately stop authenticating; other keys keep working.
- Rotating keys. To rotate, create a new key, switch your integration to it, then revoke the old one.
Request headers
Beyond the Authorization header, Reeve API requests may include these headers:
| Header | Purpose |
|---|---|
Authorization: Bearer rcm_… | Required. Your API key. |
X-Org-Id | Optional. Targets a specific organization when your key has access to more than one. |
Idempotency-Key | Optional, on write endpoints. A unique value you supply so a retried request isn't applied twice. |
Content-Type: application/json | Required on requests with a JSON body. |
You may also see X-Reeve-Service-Token referenced in the API schemas. That header is for internal service-to-service calls inside the Reeve backend and is not the developer path — public integrations authenticate with an API key as shown above.
Idempotency
Write endpoints accept an optional Idempotency-Key header. Supply a unique value (a UUID is a good choice) and Reeve will ensure the operation is applied at most once even if the request is retried after a network error:
curl -X POST https://api.meetreeve.com/api/crm/v1/contacts \
-H "Authorization: Bearer $REEVE_API_KEY" \
-H "Idempotency-Key: $(uuidgen)" \
-H "Content-Type: application/json" \
-d '{ "email": "jane@acme.com" }'Errors
Authentication and validation failures use standard HTTP status codes:
| Status | Meaning |
|---|---|
401 | Missing, malformed, or revoked API key |
403 | Authenticated, but not allowed to access the requested resource |
422 | Request body or parameters failed validation |
See the API reference for the per-endpoint request and response shapes.