How to create and use Breadbox API keys, understand read_only and full_access scopes, pass the X-API-Key header, and handle auth errors.
Every request to the Breadbox REST API must include a valid API key. Keys are created from the admin dashboard, scoped to control what operations a client can perform, and passed as a request header on every call. Breadbox never stores the full plaintext key — the key is shown once at creation and then hashed.
Create API keys from the admin dashboard under Settings → API Keys. Give each key a descriptive name so you can identify it later (for example, "Home Assistant" or "Monthly report script"). The full plaintext key is displayed exactly once when you create it — copy it to a safe location before closing the dialog.For detailed configuration steps, see the API keys configuration guide.
Each key is assigned one of two scopes at creation time:
Scope
Description
read_only
Read access to all data endpoints. Cannot modify data, trigger syncs, or create resources.
full_access
Full read and write access. Required for any endpoint marked Write in this documentation.
Choose the narrowest scope that meets your use case. AI agents that only query transaction history should use read_only keys. Agents or scripts that create rules, categorize transactions, or trigger syncs need full_access.
A 401 response means the key itself is invalid or absent. A 403 response means the key is valid but does not have the required scope — for example, a read_only key attempting a write operation.
The Breadbox CLI uses a device-code grant so an operator on one machine can mint an API key for a client on another — without ever copying a long-lived secret onto the second machine through an unverified channel. The browser approval lives on the trusted device; the remote machine only ever sees the issued bb_ key.The flow is exposed at two unauthenticated REST endpoints:
Method
Path
Description
POST
/api/v1/auth/device-code
Initiates a session. Returns a device_code, a user_code to display to the operator, a verification_url to open in a browser, and a poll interval.
POST
/api/v1/auth/device-code/poll
Polls with the device_code. Returns authorization_pending until the operator approves in their browser; returns the issued bb_ API key on success; returns expired after the TTL.
The standard CLI invocation:
# On the remote machine (no key yet)breadbox auth login --host https://breadbox.example.com# CLI prints: "Open https://breadbox.example.com/auth/device on the host you trust,# enter code: ABCD-1234"# Operator approves in their browser; the CLI saves the key to ~/.config/breadbox/hosts.toml
Pass --token bb_… to skip the device flow entirely (paste-mode) when an operator has already minted a key on the server side. See the CLI authentication guide for the full flow including auth bootstrap (local-only key mint) and BREADBOX_TOKEN env override.
A single unauthenticated endpoint helps remote agents confirm they’re talking to a live Breadbox before they have a key:
Method
Path
Description
GET
/api/v1/headless/bootstrap
Returns the server version, public configuration (which providers are configured, whether the dashboard is enabled), and the device-code endpoints to use next. No X-API-Key required.
Use it as a smoke test from a breadbox-cli build (breadbox doctor calls it automatically).
One key per client. Assign a separate key to each application or script that calls the API. This lets you revoke a single key without disrupting other clients.
Use read_only by default. Grant full_access only when the client genuinely needs to write data.
Rotate keys periodically. Create a new key, update the client, then revoke the old key from the dashboard.
Never expose keys in client-side code or version control. Treat API keys with the same care as passwords. If a key is compromised, revoke it immediately from Settings → API Keys.
Store keys in environment variables or a secrets manager rather than hardcoding them in configuration files.
