The header
Every Slideless API endpoint (except the public token-basedgetSharedPresentation) requires a single header:
Authorization: Bearer …. The Slideless backend only checks X-Process-Manager-Key.
Key prefixes
| Prefix | Type | Use case |
|---|---|---|
cko_ | Organization key | What every external integration uses |
cka_ | Admin key | Internal platform automation; not user-creatable |
cka_→ validated against theadmin_api_keyscollectioncko_→ validated against theorganization_api_keyscollection (also resolves the org context)
401.
Getting a key
See Quickstart Step 2 and the API keys concept — keys are created in the dashboard at Organization → API Keys. Pick scopes when creating:| Scope | Granted to |
|---|---|
presentations:write | Endpoints that create or modify presentations (upload, update) |
presentations:read | Endpoints that read presentations (list, get) |
Verifying a key
UsePOST /verifyApiKey to check a key without making a destructive call:
200 → key is valid (response includes name, scopes, organization, last-used time).
401 → key is missing, malformed, or revoked.
Errors
| Status | Code | What it means | Fix |
|---|---|---|---|
401 | unauthenticated | Header missing or key not recognized | Send X-Process-Manager-Key with a valid cko_ or cka_ value |
403 | permission-denied | Key valid but you don’t own the resource | The key’s user must match the presentation’s ownerId |
403 | revoked | Key was revoked | Create a new key |
What’s stored server-side
Slideless stores a SHA-256 hash of every API key, not the raw value. The dashboard shows the raw key once at creation. If you lose it, create a new one.Operational guidance
- Treat keys as secrets — don’t commit, paste, or log them.
- One key per integration — easier to rotate, easier to attribute usage.
- Set
lastUsedAtreminders — long-unused keys are good revocation candidates. - Use
verifyApiKeyat the start of any long-running script so you fail fast on auth issues.