ConsistlyAPI

Authentication

Bearer API keys, product-prefixed scopes, and OAuth client credentials.

API keys

All resource endpoints authenticate with a bearer API key issued from the Consistly dashboard:

curl https://staging.consistly.io/api/public/v1/organizations \
  -H "Authorization: Bearer sk_live_..."
PrefixTypeUse
sk_live_Secret key, live modeServer-side calls against production data.
sk_test_Secret key, test modeServer-side calls against test data.
pk_live_Publishable keyLimited, client-safe operations.

Keep secret keys server-side

sk_ keys grant write access to your organization's data. Never embed them in client-side code, and rotate them from the dashboard if they leak.

Test-mode keys (sk_test_) operate on isolated test data — responses indicate the mode via the key's livemode.

Scopes

Keys carry product-prefixed scopes. An endpoint requires at least one of its listed scopes; missing scopes produce a permission_error with HTTP 403.

ScopeGrants
platform:readRead organizations, memberships, users, events.
platform:writeMutate platform resources.
platform:api_keys:writeCreate and revoke API keys.
platform:webhook_endpoints:writeManage webhook endpoints.
brand:readRead brand rules, palettes, fonts, checks.
brand:writeMutate brand resources.
brand:rules:writeManage brand rules.
brand:palettes:writeManage palettes.
brand:checks:writeRun compliance checks.
cms:readRead icons, sets, slide assets, deployments.
cms:writeMutate CMS resources.
cms:icons:writeUpload and manage icons.
cms:slides:writeManage slide assets and PPT sets.
cms:deployments:writeCreate deployments.

OAuth 2.0 client credentials

Integrations that act on behalf of an OAuth application exchange client credentials for an access token (RFC 6749):

curl -X POST https://staging.consistly.io/api/public/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=oa_client_..." \
  -d "client_secret=oa_secret_..."

Tokens can be inspected with POST /oauth/introspect and revoked with POST /oauth/revoke. See the OAuth endpoints reference for details.

Note that /oauth/token authenticates with the client credentials in the request body — not a bearer header — and is exempt from idempotency and rate-limit keying since those are keyed on API keys.

Consistly API

Manage icons, enforce brand rules, and distribute assets programmatically.

Platform API

Identity, API keys, OAuth, webhooks & files

On this page

API keysScopesOAuth 2.0 client credentials