Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.scaling.cloud/llms.txt

Use this file to discover all available pages before exploring further.

The Scaling API uses API keys to authenticate requests. Every request must include a valid key in the Authorization header. Requests without a key, or with an invalid key, return a 401 error.

API key format

Scaling API keys have this format: 
scl_live_<token>
Keep your API key private. Anyone who holds it can make API calls on behalf of your organization.

Obtaining an API key

1

Open Settings

In the Scaling dashboard, click Settings in the sidebar.
2

Go to API Access

Select API Access from the settings menu.
3

Create a key

Click Generate API key, give it a descriptive name, and copy the key. Scaling displays the full key only once — store it somewhere safe immediately.

Including the key in requests

Pass your API key as a Bearer token in the Authorization header: 
Authorization: Bearer scl_live_your_api_key_here
Example: 
curl --request GET \
  --url https://api.scaling.cloud/v1/oncall/schedules \
  --header 'Authorization: Bearer scl_live_your_api_key_here' \
  --header 'Content-Type: application/json'

Authentication errors

If a request fails authentication, the API returns 401 Unauthorized with one of the following error codes: Missing Authorization header: 
{
  "statusCode": 401,
  "type": "not_authorized_error",
  "code": "missing_authorization_header",
  "requestId": "550e8400-e29b-41d4-a716-446655440000"
}
Invalid or expired API key: 
{
  "statusCode": 401,
  "type": "not_authorized_error",
  "code": "invalid_api_key",
  "requestId": "550e8400-e29b-41d4-a716-446655440000"
}
See Errors for the complete reference on error shapes and codes.

Security best practices

Treat your API key like a password. If a key is compromised, rotate it immediately from Settings → API Access.
  • Never commit keys to source control. Use environment variables or a secrets manager (such as AWS Secrets Manager or HashiCorp Vault) to inject keys at runtime.
  • Rotate keys regularly. Rotate any key that may have been exposed. Deleting a key immediately revokes all access for that key.
  • Use one key per integration. Create a separate key for each service or pipeline that needs API access. This limits the blast radius if a key is compromised and makes it easy to revoke access for a single integration without affecting others.
  • Restrict access at the org level. Only share API keys with team members who need them. Remove access for keys tied to decommissioned integrations.