Auth

Every authenticated endpoint accepts an opaque bearer token in the Authorization: Bearer culprit_live_... header.

Token format

culprit_live_<43 base62 chars>. The prefix is the first 12 characters and is what Culprit uses for the database lookup; the remaining 31 characters carry the entropy and are HMAC-pepper-hashed at rest. The raw token is shown ONCE, in the response to POST /v1/api_tokens.

Read-only vs read-write

Tokens carry a single scope: read_only or read_write. A read-only token gets a 403 token_scope_insufficient on every POST/PATCH/DELETE. See Scopes.

Rotation

Revoke via DELETE /v1/api_tokens/{id}. Tokens carry no TTL — they're valid until revoked or until the human owner is deleted from the tenant. There is no refresh flow.

What lives behind a token

Every API request runs as the token's created_by_user_id — the human owner. RLS applies normally; an admin's token sees what the admin would see in the dashboard.