Authentication
The sharetodos API uses API keys to authenticate requests.
API keys
Create an API key at sharetodos.com/developers. Each key is tied to your account and inherits your permissions.
Keys are shown once. Copy your key immediately after creating it — it cannot be retrieved again. If lost, revoke it and create a new one.
Keys follow this format:
sk_live_a1b2c3d4e5f6... ← 64 hex characters after the prefix | Prefix | Environment | Description |
|---|---|---|
sk_live_ | Production | Reads and writes real data |
sk_test_ | Test | Sandbox environment (coming soon) |
Sending your key
Pass the key in the X-API-Key request header:
curl https://api.sharetodos.com/v1/me \
-H "X-API-Key: sk_live_your_key_here" For all mutating requests, set Content-Type: application/json alongside the key:
curl -X POST https://api.sharetodos.com/v1/actions/add \
-H "X-API-Key: sk_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{"items": ["buy milk"], "list": "Shopping"}' Verifying your key
Call GET /v1/me to confirm your key is working and see what scopes it has:
curl https://api.sharetodos.com/v1/me \
-H "X-API-Key: sk_live_your_key_here" {
"data": {
"id": "user_abc123",
"email": "you@example.com",
"name": "Your Name",
"username": "yourname",
"scopes": ["lists:read", "lists:write", "items:read", "items:write", "profile:read"]
},
"error": null
} Scopes
API keys carry scopes that control what they can do. All keys currently receive the full scope set below — granular key scopes are on the roadmap.
| Scope | Permissions |
|---|---|
lists:read | Read lists and their metadata |
lists:write | Create lists, invite members, share |
items:read | Read items in any accessible list |
items:write | Add, complete, and remove items |
profile:read | Read your own profile (/me) |
Security recommendations
- Store keys in environment variables, never in source code
- Use separate keys per environment (local, staging, production)
- Rotate keys periodically or immediately if you suspect a leak
- Give each integration its own key so you can revoke independently
- Never log or transmit keys in plaintext