Authentication

Authenticate Amboss API requests with API keys. Reference of per-product GraphQL endpoints and required headers for Space, Rails, Magma, Reflex, and Payments.

Authenticate API requests using Amboss API keys. The header convention is product-specific.

Per-product header

ProductGraphQL endpointAuth header
Spacehttps://api.amboss.space/graphqlAuthorization: Bearer <key>
Reflexhttps://reflex.amboss.tech/graphqlAuthorization: Bearer <key>
Magmahttps://magma.amboss.tech/graphqlAuthorization: Bearer <key>
Rails / Paymentshttps://rails.amboss.tech/graphqlx-api-key: <key>

Rails Payments uses x-api-key, not Authorization: Bearer. Sending a Bearer token to the Rails endpoint authenticates as a dashboard user (used for master-account operations only), not as a service API key.

Where to create a key

Keys are created from the product's own dashboard, not a single shared settings page:

Example: Bearer (Space)

curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{"query":"query{getHello}"}' \
  https://api.amboss.space/graphql

Example: x-api-key (Payments)

curl -X POST \
  -H "Content-Type: application/json" \
  -H "x-api-key: amb_live_YOUR_KEY" \
  -d '{"query":"{ payment { wallet { list(environment_id: \"...\") { id } } } }"}' \
  https://rails.amboss.tech/graphql

Keep your API keys secure. Do not commit them to version control. If a key is compromised, revoke it immediately from the dashboard where it was created.