Authenticate with the Bonfire API
Every request to the public REST API (/api/v1) is authenticated with a Bearer key created in the Admin panel. Follow these steps.
1. Create an API key
- Sign in to your community (email or Google).
- Go to Admin → API Keys.
- Click Create key, name it (e.g.
production-server), and choose its scopes. - Copy the key immediately — it is shown only once.
Keys are tied to your community. Treat them like passwords: store them in a secret manager, never in client-side code or git.
2. Send an authenticated request
Pass the key in the Authorization header as a Bearer token:
curl https://your-community.onbonfire.com/api/v1/members \
-H "Authorization: Bearer bf_live_xxxxxxxxxxxxxxxx"
A missing or invalid key returns 401 Unauthorized. A valid key without the required scope returns 403 Forbidden.
3. Scope keys to least privilege
Each key carries scopes that gate what it can do. Grant only what the integration needs:
| Scope | Allows |
|---|---|
members:read | List and read member profiles |
members:write | Invite, update, remove members |
content:read | Read spaces, channels, courses |
content:write | Create/update channels, lessons |
analytics:read | Read growth, retention, revenue metrics |
4. Rotate and revoke
Rotate keys periodically and immediately revoke any that leak: Admin → API Keys → Revoke. Revocation is instant; issue a new key first to avoid downtime.
Related
- API Design Principles
- Webhooks
- Rate Limits and Errors
FAQ
Where do I find my key after creating it? You can't view the secret again. If lost, revoke it and create a new one.
Can members create API keys? No. Only owners and admins can access Admin → API Keys.
Is the key the same as my login? No. Sign-in uses email or Google; API keys are separate credentials for machines.
What base URL do I use?
Your community's domain plus /api/v1, e.g. https://your-community.onbonfire.com/api/v1.