Skip to main content

Authentication

Every authenticated request must send both credentials as headers:

X-Client-Id: lk_id_xxxxxxxxxxxxxxxxxxxxxxxx
X-Client-Secret: lk_secret_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Example:

curl https://laabam.app/api/v1/invoices \
  -H "X-Client-Id: lk_id_4f9c2a7b1e8d3c6a5b0f9e2d" \
  -H "X-Client-Secret: lk_secret_a1b2c3d4e5f6...." \
  -H "Accept: application/json"

How it works:

  • The Client ID is a public identifier and may appear in logs.
  • The Client Secret is sensitive. It's stored only as a SHA-256 hash and verified with a constant-time comparison, so the plaintext is never persisted or timing-comparable.
  • A request with a missing, unknown, inactive, expired, or mismatched credential is rejected with 401 Unauthorized. The response never reveals which part was wrong.
Never expose the secret in client code

Treat the Client Secret like a password. Don't embed it in browser or mobile apps you ship to users — proxy API calls through your own backend. See Security.