Authentication¶
Every request needs an API key in the X-API-Key header.
GET /backend-api/api/public/v1/projects HTTP/1.1
Host: app.autonomiq.de
X-API-Key: smk_live_q3z7m...
Token format¶
Live keys: smk_live_<40 base32 chars>.
The plaintext is shown exactly once on creation. SimplyMill stores only an argon2id hash. A lost key cannot be recovered; revoke and mint a new one.
Minting a key¶
Mint and manage keys from the SimplyMill web app:
- Sign in at app.autonomiq.de.
- Open Settings → API keys in the sidebar.
- Click Create new key, enter a memorable name (e.g. "Production integration"), and confirm.
- Copy the plaintext key. This is the only time it will be displayed, so store it in your secrets manager immediately.
Keys minted from this page grant full access to your account (every scope listed below). The list view shows each key's name, prefix, creation date, and last-used timestamp so you can track usage.
Scopes¶
Every public endpoint declares the scopes it requires (x-required-scopes in OpenAPI). Keys with missing scopes are rejected with 403. Keys minted via the web app hold the full set, so this matters mostly when you understand which capabilities a given key needs to be authorised for.
| Scope | Grants |
|---|---|
projects:read |
List projects, fetch tasks. |
projects:write |
Create / delete projects. |
cam:write |
Upload workpieces, set stock, postprocess. |
automation:run |
Start automated CAM planning. |
quote:read |
Read cost breakdowns. |
quote:write |
Override pricing, MHR, setup costs, per-user defaults. |
quote:export |
Download CSV / Excel quotes. |
equipment:read |
List holders, tools, assemblies. |
equipment:write |
Create / update / delete equipment. |
libraries:read |
List machines / materials / equipment libraries. |
webhooks:write |
Register and revoke webhook endpoints. |
Revoking a key¶
In Settings → API keys, click Revoke next to the key you want to disable. Revocation is effective within ~60 seconds (positive auth results are cached in Redis with a 60s TTL). Any integration still using the revoked key will start receiving 401 Unauthorized once the cache expires.