Authentication
Bearer Token Authentication
Section titled “Bearer Token Authentication”All API requests require a bearer token in the Authorization header:
Authorization: Bearer brk_your_api_key_hereAPI keys use the brk_ prefix followed by 48 hex characters. Keys are hashed with SHA-256 before storage — the plaintext is shown exactly once at creation.
Scopes
Section titled “Scopes”Each API key can be restricted to specific scopes. An empty scopes array grants full access.
| Scope | Access |
|---|---|
leads:read | List and view leads |
leads:write | Create, update, and archive leads |
appointments:read | List and view appointments |
appointments:write | Create, update, and cancel appointments |
tasks:read | List and view tasks |
tasks:write | Create, update, and cancel tasks |
conversations:read | View conversation threads and messages |
messages:write | Send SMS messages (compliance-checked) |
org:read | View organization configuration |
Rate Limits
Section titled “Rate Limits”| Operation | Limit | Window |
|---|---|---|
| Read (GET) | 60 requests | Per minute, per API key |
| Write (POST/PUT/DELETE) | 30 requests | Per minute, per API key |
When rate limited, the API returns 429 with retryable: true:
{ "error": { "code": "rate_limit_exceeded", "message": "API read rate limit exceeded (60/min). Try again shortly.", "retryable": true }}