Authentication

Every request to /v1 needs an API key. Keys are scoped per-team and per-permission — no global tokens, no shared secrets.

Key formats

• dib_live_… — production keys. Hit real team data.
• dib_test_… — sandbox keys. Hit a fixed demo team with fixture data. Free on any team, even non-Pro.
• dib_partner_… — keys minted through Connect with Dib by an end user for your app.

Sending the key

Prefer the standard Bearer header:

Authorization: Bearer dib_live_abc...xyz

If your tooling can't set Authorization, we also accept X-Api-Key:

X-Api-Key: dib_live_abc...xyz

Storage rules of thumb

• Treat keys like passwords. Never commit them.
• Server-side only — never expose to a browser bundle.
• Rotate any key you suspect leaked; revoking is instant.
• If a key shows up on GitHub, Dib's secret-scanning partner will revoke it automatically and email the owning team.

Scopes

Scopes follow a resource:action shape:

• inventory:read, inventory:write
• vehicles:read, vehicles:write
• documents:read, documents:write, documents:extract
• tasks:read, tasks:write
• rooms:read, rooms:write
• events:read, exports:create
• ai:chat, ai:smart_add

IP allowlists

Optional but encouraged for server-side keys. Add CIDR ranges in the key settings and Dib will reject requests from anywhere else with a ip_not_allowed error.

Sensitive actions

Creating, updating, or revoking a key from the dashboard requires a recent session re-authentication — Dib calls this "sudo mode" and it lasts 5 minutes per device.