To authenticate to the API you must provide a secret which can, currently, only be generated through the Katapult Console.

Types of API token

There are two types of API token which you can generate.

Organization level API tokens can be created within a specific organization. These tokens will only have access to the organization they are created within. They will have acccess to use any endpoint that is within the scopes that are assigned to the API token.

User level API tokens belong to users and are managed through their own Settings. Organization admins have no control over these. These tokens will have the same level of access to the API as the user has through their role. Additionally, they can be limited using the scope functionality to further restrict their ability to make changes.

Providing authentication

API tokens should be presented to the API in the Authorization header as a bearer token. For example:

Authorization: Bearer {token-here}

Network restrictions

API tokens can be restricted to only work from certain networks. By default, they will work from any network.


We do not store the secret for an API token in any form that can be recovered if you lose it. It will be available in the web interface for a short period of time after creation only.

If you do need to, you can re-generate the secret at any time which will immediately invalidate the old token.