Authentication
The HeadshotPro API uses Bearer token authentication. All requests must include your API key in the Authorization header.
Getting Your API Key
- Log in to HeadshotPro as a Team Owner or Admin
- Navigate to Admin Dashboard > API
- Click Generate API Key
- Copy and securely store your key
Important: API keys are shown only once. Store them securely and never commit them to source control.
Making Authenticated Requests
Include your API key in the Authorization header:
curl -X GET "https://server.headshotpro.com/api/v2/organization" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json"
Node.js Example
const response = await fetch('https://server.headshotpro.com/api/v2/organization', {
method: 'GET',
headers: {
'Authorization': `Bearer ${process.env.HEADSHOTPRO_API_KEY}`,
'Content-Type': 'application/json'
}
});
const data = await response.json();
Python Example
import requests
headers = {
'Authorization': f'Bearer {os.environ["HEADSHOTPRO_API_KEY"]}',
'Content-Type': 'application/json'
}
response = requests.get(
'https://server.headshotpro.com/api/v2/organization',
headers=headers
)
API Key Scopes
API keys are scoped to your organization. All actions performed with the key are associated with your organization and subject to your plan's limits.
| Scope | Description |
|---|---|
| Organization | Read organization details and credits |
| Invites | Create, list, and revoke invitations |
| Teams | Manage teams and team membership |
| Models | List and manage AI models |
| Photos | Access generated headshots |
Security Best Practices
- Never expose keys in client-side code - API keys should only be used server-side
- Use environment variables - Store keys in environment variables, not in code
- Rotate keys periodically - Generate new keys and invalidate old ones
- Monitor usage - Review API logs for unexpected activity
- Limit access - Only share keys with team members who need them
Authentication Errors
| Status | Code | Description |
|---|---|---|
| 401 | UNAUTHORIZED | Missing or invalid API key |
| 403 | FORBIDDEN | Key valid but lacks permission for this action |
Example Error Response
{
"success": false,
"error": "Invalid API key",
"code": "UNAUTHORIZED"
}
Regenerating Your API Key
If your API key is compromised:
- Go to Settings > API
- Click Delete API Key
- Click Generate API Key to create a new one
- Update all applications using the old key
The old key is immediately invalidated when deleted.