Authentication
The Vidocu API supports two authentication methods:
- API Keys — for server-to-server integrations you control
- OAuth 2.0 — for third-party apps acting on behalf of users (learn more)
All API requests require a valid token passed in the Authorization header.
API Keys
Header format
Authorization: Bearer vdo_live_your_key_here
API key format
Keys follow the format vdo_live_ followed by a random string. Example:
vdo_live_k7xG2mNpQrS9tVwY1zA3bC5dE
Managing keys
Create and manage API keys from the Vidocu Dashboard.
- Starter plans get up to 2 API keys
- Growth plans get up to 5 API keys
- Scale plans get up to 10 API keys
- Enterprise plans get unlimited API keys
Keys can be revoked at any time from the dashboard. Revoked keys are rejected immediately.
Security
- Keys are hashed (SHA-256) before storage — Vidocu never stores your raw key
- Only the key prefix is visible in the dashboard after creation
- Keep keys out of client-side code and version control
- Rotate keys if you suspect they've been compromised
Error responses
Missing or invalid keys return 401:
{
"error": {
"code": "authentication_error",
"message": "Invalid or missing API key"
}
}
Keys that don't start with vdo_live_ return:
{
"error": {
"code": "authentication_error",
"message": "Invalid API key format"
}
}
OAuth 2.0 access tokens
OAuth access tokens (vdo_oat_*) work the same way as API keys in the Authorization header:
Authorization: Bearer vdo_oat_your_access_token
OAuth tokens are scoped — they can only access endpoints the user approved. See the OAuth 2.0 guide for setup instructions.