Authentication
Loom API v1 uses different authentication depending on whether you are calling the API (server-to-server) or using the console/dashboard (web app).
Tenant API (programmatic)
All server-to-server API requests (verification, tokens, usage, etc.) are authenticated with your tenant API key sent in a header.
Tenant API key header
Use the x-tenant-api-key header with your tenant API key:
curl -X POST https://api.loomapi.com/verify/start \
-H "x-tenant-api-key: your_tenant_api_key_here" \
-H "Content-Type: application/json" \
-d '{}'
Never expose your tenant API key in client-side code or public repos. Store it in environment variables or a secret manager.
Getting your tenant API key
- Sign in at dashboard.loomapi.com
- Open API Keys (or Keys)
- Create a new key and copy it immediately — it is shown only once (see Key Management)
Key storage
- Use environment variables or a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault)
- Do not commit keys to version control; add
.envto.gitignore
# .env (do not commit)
LOOM_TENANT_API_KEY=your_tenant_api_key_here
Console / dashboard (web app)
The console (dashboard) at dashboard.loomapi.com and any /console API routes use Clerk for user sign-in. Requests to those routes send:
Authorization: Bearer <Clerk JWT>
This is only for the web app (browser). Do not use a Clerk JWT for server-to-server API calls; use the tenant API key with x-tenant-api-key instead.
Authentication errors
If the tenant API key is missing, invalid, or revoked, the API returns 401 Unauthorized:
{
"request_id": "req_1234567890",
"error": {
"code": "AUTH_INVALID_KEY",
"message": "The provided API key is invalid or expired"
}
}
- Ensure you are sending
x-tenant-api-key(not Bearer or X-API-Key) for API requests - Confirm the key is active in the dashboard and that you did not revoke it
- See Key Management for rotation and revocation
Need help?
- Key Management — show-once, rotate, revoke
- Quickstart — first request with tenant auth
- support@loomapi.com if issues persist