Mint a short-lived end-user token
A few endpoints act on behalf of a specific end-user — for example, submitting an MFA challenge during connection setup. Those use a different credential than your normal API key: a short-lived (5-minute) bearer token bound to one Client.
Call this with your normal API key to mint one when you need it. Keep it server-side and short-scoped.
Authorizations
Pass your secret key in the Authorization header as a Bearer
token: Authorization: Bearer sk_test_... (sandbox) or
Bearer sk_live_... (production).
Keys are created in the developer portal and the plaintext secret is shown exactly once at creation. Treat them like passwords — never embed them in mobile apps or front-end code.
