Authentication

All API requests require authentication via an API key passed in the Authorization header.

API Key Format

ps_{env}_{random}
│   │     │
│   │     └── 32 random characters
│   └──────── live or test
└──────────── prefix

Examples:

ps_live_abc123def456ghi789jkl012mno345pq — production key
ps_test_abc123def456ghi789jkl012mno345pq — test/sandbox key

Authorization Header

Pass your key as a Bearer token:

curl https://api.postscript.io/v1/profiles \
  -H "Authorization: Bearer ps_live_your_key_here"

The Klaviyo-compatible surface also accepts:

Authorization: Klaviyo-API-Key ps_live_your_key_here

Scopes

API keys are scoped to a specific property and have granular permissions:

Scope	Permissions
`events:read`	List and retrieve events
`events:write`	Create events (single and bulk)
`profiles:read`	List and retrieve profiles
`profiles:write`	Create, update, and upsert profiles

If a request requires a scope the key doesn't have, the API returns 403 Forbidden with the missing scope in the error message:

{
  "error": {
    "code": "forbidden",
    "message": "API key does not have required scope events:write",
    "request_id": "550e8400-e29b-41d4-a716-446655440000"
  }
}

Property Scoping

Every API key is bound to a single property (merchant account). All operations — events, profiles, etc. — are automatically scoped to that property. You cannot access data from other properties with the same key.