You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/development/machine-auth/api-keys.mdx
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,6 +43,9 @@ If you would like to prevent the API Keys tab from appearing in the user or orga
43
43
44
44
It's also possible to render the [`<APIKeys />` component](/docs/reference/components/api-keys) directly if you'd like to embed the API key management UI directly into your application's user interface.
45
45
46
+
> [!TIP]
47
+
> Hiding the UI doesn't prevent users from creating API keys — they can still call Clerk's Frontend API directly. If you want to ensure only backend-issued API keys are valid, use the `scopes` or `claims` parameters (available only via the [Backend SDK](#creating-api-keys)) when creating keys. Your verification logic can then reject any keys missing the required scopes or claims, making user-created keys ineffective.
48
+
46
49
## Using API keys in requests
47
50
48
51
Once you have an API key, you can use it to authenticate requests to your application's API. The API key should be sent as a Bearer token in the `Authorization` header:
0 commit comments