Sotion
API

Authentication

Use API keys to authenticate requests to the Sotion API for programmatic access to your site data and member management.

How authentication works

Sotion uses API keys with bearer token authentication. Every API request must include an Authorization header with your API key.

Authorization: Bearer so_your_api_key_here

Requests without a valid API key return an error:

{"error": "Missing API key. Pass Authorization: Bearer so_..."}

Create an API key

  1. Go to Integrations in your site settings.

  2. Find the API Keys section.

  3. Click Create Key or Create your first API key.

  4. Give your key a descriptive name (optional but recommended).

  5. Click Create API Key.

Copy your API key immediately after creation. This is the only time the key will be shown. Store it securely—you won't be able to see it again.

Manage your API keys

From the Integrations page, you can:

  • Rename — Update the key's display name for easier identification.

  • Roll — Generate a new key value while keeping the same key record. Useful if you suspect a key has been compromised.

  • Revoke — Temporarily disable the key without deleting it.

  • Delete — Permanently remove the key. This cannot be undone.

Sotion enforces a maximum number of active API keys per site. If you reach the limit, revoke or delete unused keys before creating new ones.

Use your API key in requests

Include your API key in the Authorization header as a bearer token:

curl -X GET https://api.sotion.so/v1/members \
  -H "Authorization: Bearer so_your_api_key_here"

All API endpoints require this header. For specific endpoints and request formats, see the API Overview.

Security best practices

  • Store API keys securely—treat them like passwords.

  • Never share keys in public repositories, chat logs, or screenshots.

  • Use environment variables or a secrets manager instead of hardcoding keys.

  • Create separate keys for different integrations so you can revoke them independently.

  • Roll keys periodically, especially after team member departures or suspected leaks.

Common errors

Missing API key

Error: Missing API key. Pass Authorization: Bearer so_...

Cause: The request is missing the Authorization header or the header format is incorrect.

Solution: Add the header Authorization: Bearer so_your_api_key to your request.

Invalid API key

Cause: The key has been revoked, deleted, or rolled.

Solution: Generate a new key from Integrations and update your integration with the new value.

Maximum active keys reached

Cause: You've hit the limit for active API keys on your site.

Solution: Revoke or delete unused keys, then create a new one.

What's next

Was this helpful?