API Reference

Authentication

Publishable keys, secret keys, and OAuth 2.1 + PKCE for partner apps.

Every request to the Ceevee API must be authenticated. Tokens are passed as a Bearer token in the Authorization header — never in query strings, never in cookies. The API will reject any request that places a credential in the URL.

All three credential kinds carry a scope set chosen at creation time. A request that lacks the scope required by the endpoint returns 403 forbidden / insufficient_scope.

Token kinds

**Publishable key** (ceevee_pk_live_…) — safe to embed in browser code. Read-only access to public data and the ability to create job applications. Each pk is pinned to one or more Origin values; mismatched origins are rejected before the handler runs.
**Secret key** (ceevee_sk_live_…) — server-side only. Full read/write access within the scopes you grant. Shown once at creation; never recoverable. Treat it like a password.
**OAuth access token** (ceevee_oat_live_…) — issued to partner applications via OAuth 2.1 + PKCE after a Ceevee user explicitly authorizes them. Scoped to that user's organization, expires after one hour, and rotates with a refresh token.

Sending the token

Pass the token verbatim in the Authorization header. There is no signing step for first-party calls — TLS provides transport security and the HMAC-pepper protects the token at rest.

curl https://api.ceevee.cc/v1/me \
  -H "Authorization: Bearer ceevee_sk_live_xxxxxxxxxxxx"

Live vs sandbox

Live keys (_live_) hit api.ceevee.cc. Sandbox keys (_test_) hit api.sandbox.ceevee.cc and operate against an isolated dataset. Mixing the two returns 401 wrong_env.

Revocation

Revoke a key from Settings → Developers or via the dashboard API. Revocation is broadcast across all running instances within a few seconds — there is no "valid until next hour" gap.

Never expose secret keys

If a ceevee_sk_… key leaks, revoke it immediately and rotate. The public dashboard at Settings → Developers shows the last-used IP and timestamp for every key — use it to investigate suspicious activity.

Token kinds

**Publishable key** (ceevee_pk_live_…) — safe to embed in browser code. Read-only access to public data and the ability to create job applications. Each pk is pinned to one or more Origin values; mismatched origins are rejected before the handler runs.

**Secret key** (ceevee_sk_live_…) — server-side only. Full read/write access within the scopes you grant. Shown once at creation; never recoverable. Treat it like a password.

**OAuth access token** (ceevee_oat_live_…) — issued to partner applications via OAuth 2.1 + PKCE after a Ceevee user explicitly authorizes them. Scoped to that user's organization, expires after one hour, and rotates with a refresh token.