Authentication
All requests to the Xavigate API require a Bearer token in the Authorization header.
Authorization: Bearer test_sk_abc123...
Key structure
Every API key has three components: environment prefix, type, and secret.
| Prefix | Environment | Use |
|---|---|---|
test_pk_* | Sandbox | Client-side (public) |
test_sk_* | Sandbox | Server-side (secret) |
live_pk_* | Production | Client-side (public) |
live_sk_* | Production | Server-side (secret) |
sk_* keys are secret. Never expose them in client-side code, browser requests, or version control. Only pk_* keys are safe for client-side use.
The key prefix determines which environment your request runs against — sandbox requests hit the sandbox database, production requests hit production. There is no separate base URL; the same endpoint handles both, routing based on key prefix.
During the closed beta, the Worker is at https://xavigate-api-v2.steven-c8f.workers.dev. The api.xavigate.com domain cuts over at general availability.
Sandbox vs production
| Sandbox | Production | |
|---|---|---|
| Keys | test_* | live_* |
| Data | Isolated test database | Real data |
| Billing | No charges | Metered per tier |
| Webhook events | Delivered to test endpoints only | Delivered to production endpoints |
| Rate limits | Standard tier limits | Standard tier limits |
Create unlimited subjects, run assessments, and test your integration in sandbox without touching production data or incurring charges.
Scopes
Keys are minted with specific scopes. A key with nature:read cannot create subjects; a key with nature:write cannot call read-only endpoints on other products.
| Scope | Operations |
|---|---|
nature:read | GET /v1/nature/* |
nature:write | POST, PATCH, DELETE /v1/nature/* |
Other product scopes (careers:read, situational:write, etc.) exist in the schema but are not mintable until those products launch.
Mint keys with the minimum scopes your integration needs. A server-side integration that only reads profiles doesn't need nature:write.
Managing keys
Closed beta: keys are provisioned directly — email team@xavigate.com to request access or rotate a key.
Self-serve key management opens with the developer dashboard at general availability. When live, the dashboard at dev.xavigate.com/dashboard will support:
- Create — name a key, select scopes, receive the raw value once (store it securely)
- Rotate — invalidates the current key and returns a new one
- Revoke — permanently disables the key; requests using it will receive
401
Revocation cannot be undone. If you revoke a key in use, all integrations using it will receive 401 unauthenticated immediately.
Errors
| Status | Error code | Cause |
|---|---|---|
401 | unauthenticated | Missing Authorization header, malformed key, key not found, key revoked |
403 | insufficient_scope | Key exists but lacks the required scope for this operation |
See Errors for the full error model.