Skip to main content
API keys authenticate server-to-server calls to the SIS API. They are organisation-scoped and not tied to a specific environment.
API keys are only required for server-to-server SIS API calls. If your integration passes provider JWTs directly from the browser, you don’t need an API key — those requests authenticate via the JWT itself.

When You Need an API Key

Use an API key when your backend server calls the SIS API directly — for example, to look up a user’s identity data, verify a , or manage organisation configuration programmatically. Never expose API keys in client-side code.

Creating a Key

  1. Go to API Keys and click New API key
  2. Give the key a descriptive name (e.g. backend-production)
  3. Copy the key value — it is shown once only and cannot be retrieved again
Store your API key securely. It is only shown at creation time. If you lose it, you will need to revoke the key and create a new one.

Using a Key

Include the API key in the Authorization: Bearer header on SIS API requests. You don’t need a separate organisation header — the key is already scoped to your organisation: 
curl https://sis.sumvin.com/v0/organisation/{organisation_id}/users \
  -H "Authorization: Bearer <your-api-key>"
See the SIS API Reference for the full set of endpoints that accept API key authentication.

Revoking a Key

  1. Locate the key in the API Keys table
  2. Click Revoke
  3. Confirm the prompt
Revocation is immediate. Any requests using the revoked key will be rejected with 401 Unauthorized.