Skip to main content
For AI agents: a documentation index is available at https://docs.coverbase.com/llms.txt — this page is also available in markdown by appending .md to the URL.
The Coverbase API uses bearer token authentication. Every request must include a credential in the Authorization header. For the full set of cross-cutting rules (IDs, timestamps, idempotency, error envelope) see API conventions.
API keys grant significant access to your TPRM data. Never share them in public repositories, client-side code, screenshots, or support tickets. Treat them like passwords.

Request an API key

API keys are provisioned by a Coverbase admin in your organization. Each key looks like ak_..., is scoped to a single organization, and authenticates as a service account — all data it can read or write is implicitly scoped to that org. Contact your admin or Coverbase account manager to request one. A logged-in user JWT (the dashboard session token) is also accepted, which is convenient for first-party scripts running as a user. By default a key carries no elevated permissions and can only call ordinary /v1/* routes. An admin can also mint a key with admin scopeskeys:manage (manage ak_* keys) and/or audit:read (read the system audit log) — to drive those admin surfaces headlessly, without a short-lived dashboard token. The admin-JWT path still works for both. See API key scopes and the API Keys reference.

Base URLs

EnvironmentBase URL
Productionhttps://api.coverbase.app
Sandboxhttps://sandbox.api.coverbase.app
Build against the sandbox first, then repoint at production. See API conventions → Base URLs.

Authorization header

Include your key as a bearer token in every request: 
Authorization: Bearer ak_...

Test your connection

Use the /v1/utils/authtest endpoint to verify three things at once: your key is valid, you can reach Coverbase’s servers, and your firewall or proxy allows outbound HTTPS traffic. 
curl -H "Authorization: Bearer ak_live_xxx" \
     https://api.coverbase.app/v1/utils/authtest
A successful request returns 200 OK: 
{ "msg": "Auth successful" }

Common errors

Your credential is missing, malformed, expired, or revoked — or its role is not permitted on the public API (the response message reads Unauthorized role.). Confirm the Authorization header is present and the key is active.
Your credential is valid but not authorized for what it tried to do — most often an ak_* key calling an admin endpoint without the required scope (insufficient_scope), or a non-admin caller trying to grant scopes when creating a key (scope_grant_forbidden). A configured API IP allowlist can also return 403 ip_not_allowed. See API key scopes.
The resource does not exist, or it belongs to a different organization than your API key. All data is org-scoped to the key.
Check your VPN, proxy, and firewall rules. Coverbase requires outbound HTTPS access to api.coverbase.app.
Unauthenticated requests are rejected. There is no public unauthenticated surface area on the API.