API keys
API keys are long-lived credentials used for all server-side API calls. They’re created and managed in Console.Key format
The key prefix tells you the environment:Usage
Include the API key in theAuthorization header as a Bearer token:
Bash
Key security
When you create an API key, the raw key is returned once. Palm stores a cryptographic hash — not the key itself. If you lose a key, you’ll need to create a new one. Each API key is tied to one organization. All requests authenticated with that key operate within that organization’s context.Test vs production
The key prefix determines the mode. Test keys run in an isolated sandbox — never billed, never touching real filings or providers — and return production-shaped responses and webhooks so you can build a full integration before going live. See Test mode for how it works, deterministic verification results, and simulating filing outcomes.Error handling
Common causes of
401 errors: missing Authorization header, malformed Bearer token, or expired / revoked API key.
Error responses follow the RFC 7807 Problem Details format:
JSON
Best practices
- Store API keys securely: Use environment variables or a secrets manager. Never commit keys to source control.
- Use test keys for development: Reserve
sk_live_keys for production systems. - Rotate keys periodically: Create new keys and deprecate old ones on a regular schedule.
- Monitor key usage: Check Console for unusual activity patterns.
Rate limiting
All authenticated requests are subject to rate limits. When you exceed the limit, the API returns429 Too Many Requests with the following headers:
Back off and retry after the reset window.

