Authentication
The Roundtable API supports two authentication methods: Firebase ID tokens for interactive applications and API keys for programmatic access.
Getting a Token
Firebase ID Token (Interactive)
Roundtable uses Firebase Auth with Google Sign-In. When a user signs in through the Roundtable dashboard, Firebase issues an ID token that can be used for API requests.
To obtain a token programmatically using the Firebase SDK:
import { getAuth } from 'firebase/auth';
const auth = getAuth();
const user = auth.currentUser;
if (user) {
const token = await user.getIdToken();
console.log(token); // Use this as your Bearer token
}
API Key (Programmatic)
For automation, CI/CD pipelines, and scripts, use an API key instead:
- Create an API key in Organization Settings → API Keys (see API Keys).
- Use the key as your Bearer token.
# API key authentication
curl https://roundtable.foxtrotcommunications.net/api/v1/workspaces \
-H "Authorization: Bearer rt_sk_your_api_key_here"
Using the Token
Include your token in the Authorization header of every API request:
Authorization: Bearer <token>
Example: cURL
curl -X GET https://roundtable.foxtrotcommunications.net/api/v1/workspaces \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
-H "Content-Type: application/json"
Example: JavaScript (fetch)
const response = await fetch(
'https://roundtable.foxtrotcommunications.net/api/v1/workspaces',
{
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json',
},
}
);
const data = await response.json();
Example: Python (requests)
import requests
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
}
response = requests.get(
"https://roundtable.foxtrotcommunications.net/api/v1/workspaces",
headers=headers,
)
data = response.json()
Token Expiration
Firebase ID Tokens
Firebase ID tokens expire after 1 hour. The Firebase SDK automatically refreshes tokens in the background, so interactive applications don't need to handle expiration manually.
If you're managing tokens outside the SDK:
// Force a fresh token (useful before long-running operations)
const freshToken = await user.getIdToken(/* forceRefresh */ true);
API Keys
API keys do not expire. They remain valid until explicitly revoked. For security, rotate keys periodically — see API Keys → Regular Rotation.
Service Account Authentication
For server-to-server integrations and automation pipelines where no human user is involved, use the API key approach:
- Have an Admin or Owner create a dedicated API key for the service.
- Store the key securely (environment variable, secret manager — never commit to source control).
- Use the key as a Bearer token in API requests.
# Example: CI/CD pipeline using an environment variable
curl -X POST https://roundtable.foxtrotcommunications.net/api/v1/workspaces \
-H "Authorization: Bearer ${ROUNDTABLE_API_KEY}" \
-H "Content-Type: application/json" \
-d '{"name": "Staging Environment", "provider": "vertex_ai"}'
:::warning Secret Management Never hard-code API keys in source code or configuration files. Use environment variables, CI/CD secrets, or a secret manager like Google Secret Manager, AWS Secrets Manager, or HashiCorp Vault. :::
Error Responses
| Status Code | Error | Meaning |
|---|---|---|
401 | Unauthorized | No token provided, or the token is invalid/expired |
403 | Forbidden | Token is valid but the user lacks permission for the requested resource |
401 Unauthorized
{
"error": "Unauthorized",
"details": "Missing or invalid authentication token"
}
Common causes:
- No
Authorizationheader in the request - Malformed header (e.g., missing
Bearerprefix) - Expired Firebase ID token (refresh and retry)
- Revoked API key
403 Forbidden
{
"error": "Forbidden",
"details": "You do not have permission to access this resource"
}
Common causes:
- Member trying to access Admin-only endpoints (e.g., managing members)
- API key created by a user who has since been removed from the org
- Attempting to access a workspace in a different organization