Authentication
Authenticate Amboss API requests with API keys. Reference of per-product GraphQL endpoints and required headers for Space, Rails, Magma, Reflex, and Payments.
Authenticate API requests using Amboss API keys. The header convention is product-specific.
Per-product header
| Product | GraphQL endpoint | Auth header |
|---|---|---|
| Space | https://api.amboss.space/graphql | Authorization: Bearer <key> |
| Reflex | https://reflex.amboss.tech/graphql | Authorization: Bearer <key> |
| Magma | https://magma.amboss.tech/graphql | Authorization: Bearer <key> |
| Rails / Payments | https://rails.amboss.tech/graphql | x-api-key: <key> |
Rails Payments uses x-api-key, not Authorization: Bearer. Sending a Bearer token to the Rails endpoint authenticates as a dashboard user (used for master-account operations only), not as a service API key.
Where to create a key
Keys are created from the product's own dashboard, not a single shared settings page:
- Space, Reflex, Magma — create keys at account.amboss.tech/settings/api-keys.
- Rails / Payments — keys are scoped to a specific environment and created from rails.amboss.tech/pay → your environment → API Keys. The scoping model (resource + level permissions, optional wallet pinning, expiration) is documented at Payments → API Keys.
Example: Bearer (Space)
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '{"query":"query{getHello}"}' \
https://api.amboss.space/graphqlExample: x-api-key (Payments)
curl -X POST \
-H "Content-Type: application/json" \
-H "x-api-key: amb_live_YOUR_KEY" \
-d '{"query":"{ payment { wallet { list(environment_id: \"...\") { id } } } }"}' \
https://rails.amboss.tech/graphqlKeep your API keys secure. Do not commit them to version control. If a key is compromised, revoke it immediately from the dashboard where it was created.