Authentication
Bearer tokens, paid-user gating, and what to do if a token leaks.
Bearer tokens
Every request must include a personal access token in the Authorization header:
Tokens are generated in Savee → Settings → Developer. Each user has at most one active token at a time — generating a new one revokes the previous.
Savee stores only a SHA-256 hash of the token; the raw value is shown exactly once on generation. If you lose it, generate a new one — the old token is unrecoverable.
Treat it like a password
- Never commit tokens to source control.
- Never expose them in client-side code that runs in a browser.
- Rotate immediately if you suspect a leak: open settings, click Regenerate. Existing integrations using the old token will start receiving 401 within seconds.
Paid-user only
The API is gated behind any active Savee subscription. If your subscription
lapses, your existing tokens stop working until renewal — they aren't deleted,
just rejected with a 402 PAYMENT_REQUIRED until billing is current again.
Errors
| HTTP | error.code | When |
|---|---|---|
| 400 | INVALID_INPUT | Bad query parameter (e.g., unknown key, out-of-range limit) |
| 401 | UNAUTHORIZED | Missing, malformed, or unknown token |
| 402 | PAYMENT_REQUIRED | Token valid but the user has no active subscription |
| 403 | FORBIDDEN | Public API is not enabled for this account |
| 404 | NOT_FOUND | Resource doesn't exist or isn't accessible to the caller (see endpoint docs) |
| 429 | TOO_MANY_REQUESTS | Rate-limited — wait Retry-After seconds |
All error responses use the same envelope: