Authentication and Access
Understand how Deck verifies keys, enforces org policy, and protects customer data.
Authentication and Access
Every Public API request is verified before Deck returns data. Deck does not just check that a key exists. It also checks whether the organization allows API access and whether the key owner is still allowed to use the API.
Access model
Each successful request depends on four things:
- a valid API key
- Public API being enabled for the organization
- the key owner’s current role being allowed
- the requested scope being enabled
API keys
Deck API keys are:
- created in Settings → API Access
- owned by a specific user
- scoped to a specific organization
- evaluated against endpoint-required scope (
readorwrite)
How requests are authorized
For every authenticated endpoint, Deck performs these checks:
- extract the API key from the request headers
- verify the key
- resolve the key’s organization and owner
- load the organization’s Public API settings
- require Public API to be enabled for that organization
- verify the owner still belongs to that organization
- verify the owner’s current role is allowed
- verify the endpoint’s required scope is enabled
If any of those checks fail, the request is rejected immediately.
Scope model
readscope is used by all read endpoints (GET /themes,GET /insights, etc.)writescope is required by Build mutation endpoints:POST /build/initiativesPOST /build/opportunities
Write endpoints additionally require an Idempotency-Key header.
Organization policy
Go to Settings → API Access to control who can use the Public API.
Organization admins can:
- enable or disable Public API access
- choose which org roles can use it
Supported roles today:
- admins
- members
By default:
- Public API is disabled
- only admins are allowed
Key ownership
Key ownership matters because access is evaluated against the owner’s current permissions, not just the state at the moment the key was created.
This means:
- if a user loses access, their key stops working
- if a user leaves the organization, their key is revoked
- org members can only manage their own keys in the UI
- org admins can see and revoke all keys for the organization
If a user loses access to the organization, their key stops working.
Headers
Preferred:
Authorization: Bearer dk_us_...Supported fallback:
X-API-Key: dk_us_...Error responses
All error responses use the same shape:
{
"error": {
"code": "INVALID_API_KEY",
"message": "Invalid or expired API key."
}
}Common access errors
| Code | Status | Meaning |
|---|---|---|
UNAUTHORIZED | 401 | No key was sent |
INVALID_API_KEY | 401 | The key is invalid, expired, revoked, or malformed |
API_DISABLED | 403 | Public API is disabled for the org, or the org is not eligible for a gated resource |
ROLE_NOT_ALLOWED | 403 | The key owner is not allowed to use the API |
MEMBERSHIP_REVOKED | 403 | The key owner no longer belongs to the org |
SCOPE_NOT_ALLOWED | 403 | The requested scope is not enabled |
Tenant isolation
The Public API is organization-scoped by design:
- the organization is resolved from the verified key
- clients never send an
orgId - all reads are filtered to the authenticated organization
This protects against accidental cross-org access and keeps integrations simple for clients.
Subthemes access
The /subthemes endpoints have one extra rule: the organization must also be eligible for the subthemes feature. If not, those requests return 403 API_DISABLED even if the Public API is otherwise enabled.