The Cura API authenticates every request with a workspace API key. A key looks like cura_ followed by a random suffix, and it resolves to exactly one workspace — all data you read is scoped to that workspace.
Get a key
Create an API key from Settings → API keys in the dashboard. Treat the key like a password: it grants read access to your portfolio, so store it in a secret manager and never commit it to source control.
A key is shown in full only once, when you create it. If you lose it, revoke it and create a new
one.
Authenticate a request
Send the key in the Authorization header as a bearer token:
curl https://api.cura.inc/portfolio \
-H "Authorization: Bearer cura_your_key_here"
401:
{ "error": "Invalid or missing API key" }
Rotate a key
To rotate a key, create a new one, update your integration to use it, then revoke the old key. Revoking takes effect immediately, so deploy the new key before removing the old one. 
