Overview
Every request to /v1/* must include an Authorization header with a valid API token:
Authorization: Bearer <your_token>
TOKEN_INVALID (401).
Creating a token
- Open the dashboard
- Click New token
- Copy the token immediately — it is shown only once and cannot be retrieved again
If you lose a token, revoke it from the dashboard and generate a new one.
Using your token
Pass the token in the Authorization header on every request:
curl https://api.done.app/v1/schemas \
-H "Authorization: Bearer <your_token>"
Never include your API token in client-side code or commit it to source control. Store it in an environment variable or a secrets manager.
Example — environment variable
# .env
DONE_API_KEY=your_token_here
const res = await fetch('https://api.done.app/v1/schemas', {
headers: {
Authorization: `Bearer ${process.env.DONE_API_KEY}`,
'Content-Type': 'application/json',
},
})
Token security model
| Property | Detail |
|---|
| Storage | Only the SHA-256 hash of your token is stored. The plaintext is never persisted. |
| Retrieval | Tokens cannot be retrieved after creation. Lost tokens must be revoked and replaced. |
| Scope | Tokens are scoped to your account — they can access all resources owned by your user. |
| Rotation | Revoke a token from the dashboard at any time. Revocation is immediate. |
Error responses
| Situation | Code | Status |
|---|
Authorization header missing | TOKEN_INVALID | 401 |
Wrong scheme (not Bearer) | TOKEN_INVALID | 401 |
| Token not found or revoked | TOKEN_INVALID | 401 |
TOKEN_INVALID for the full error reference.
