Authorization header.
Get an API key
Herm is in early access. Book a demo or email rajit@prismvideos.com and we’ll provision an API key for your team. Keys are shown once at creation — store them in your secret manager.Using your API key
Include the key in every request as a Bearer token:Scopes
API keys are issued with scopes that control what they can access:| Scope | Access |
|---|---|
deployments:write | Create, update, and delete deployments; send messages |
deployments:read | Get and list deployments; subscribe to event streams |
Connector secrets
Customer connector credentials (for example a Meta Ads or Google Drive token) are never sent inline. Store them as secrets first, then pass secret references (sec_...) in the secrets field when creating a deployment. Raw credentials never appear in prompts, logs, or the agent’s filesystem.
Key safety
- Use the API key from your backend only — never ship it to a browser or mobile client.
- Rotate keys by requesting a new one and revoking the old.
- A revoked or invalid key returns
401 unauthorizedon every endpoint.