Skip to Content
Authentication

Authentication and API keys

The API uses company API keys (service accounts, not tied to a user). Every request is authenticated with the key as a Bearer token:

curl https://api.kinmu.app/v1/organization \ -H "Authorization: Bearer kinmu_sk_live_xxxxxxxx"

Nature of the keys

The company is always resolved from the key: you never send a companyId in the URL or the body.

AspectDetail
Formatkinmu_sk_live_<40+ chars> (production) · kinmu_sk_test_<40+ chars> (sandbox).
VisibilityShown only once when created. Afterwards you only see the prefix + the first few characters.
IssuanceFrom the dashboard my.kinmu.app → Developers (only global_admin / company_manager).
LimitMaximum 10 active keys per company.
ExpirationOptional (90 / 180 / 365 days or no expiration).

Scopes

Each key carries explicit scopes (least privilege). Without the required scope, the endpoint responds 403 invalid_scope.

ScopeAllows
org:empleados:readRead employees.
org:empleados:writeAdd, update and offboard employees.
org:fichajes:readRead check-ins and work summaries.
org:fichajes:writeRecord check-ins.
org:ausencias:readRead absences.
org:ausencias:writeCreate, approve and reject absences.
org:saldos:readRead vacation balances.
org:estructura:readRead locations and units.
org:informes:readRequest and download reports.
webhooks:manageManage outbound webhooks.

GET /v1/organization does not require a specific scope: it is used for introspection and to validate the key. Reports additionally require the read scope of their domain: e.g. absences_export requires org:ausencias:read.

Grant each integration only the scopes it needs.

Sandbox

kinmu_sk_test_ keys always operate against a sandbox company with synthetic data, isolated from your real data. See the Sandbox guide.

Rotation

Rotating a key = create a new one and revoke the old one. Zero-downtime flow:

  1. Create the new key with the same scopes.
  2. Deploy your integration with the new key.
  3. Verify that it works (for example, a GET /v1/organization).
  4. Revoke the old key.

Revocation

Revocation is immediate from the dashboard: the key stops working on the next request (401 unauthenticated). Immediately revoke any key you suspect is compromised and review its last_used_ip.

Best practices

  • Never publish a key in client code, mobile apps, repositories or logs. They are server credentials.
  • Store them in a secrets manager or environment variables.
  • Use one key per integration so you can revoke granularly.
  • Apply least privilege: only the essential scopes.
  • Set an expiration and rotate periodically.
  • In logs, never record the Authorization header.

Authentication errors

HTTPcodeCause
401unauthenticatedMissing key, or the key is invalid, revoked or expired.
403invalid_scopeThe key lacks the required scope (errors.required_scope).
403subscription_inactiveThe company’s subscription is suspended.
403addon_disabledThe Public API addon is not active.

See the full error format in Conventions → Errors.

Last updated on