Skip to main content
API keys authenticate your app, not a member. Use them on restaurant and location Discovery routes. They are the only credential those routes accept.

Format

API keys are 40-character strings with a prefix that indicates how they were issued: 
bb_live_<40 chars>    Live integration credentials
bb_test_<40 chars>    Test integration credentials
The prefix is a labeling hint. The environment binding is server-side: your key is scoped to the DeveloperApp and environment it was minted under. Use the key you received in your onboarding email; the prefix it carries is the prefix you should expect.
Tasting note - Don’t try to predict environment from prefix alone. If you received a bb_live_… key with your staging credential set, that’s the right key for staging. If you received bb_test_…, same. The server resolves which environment the key authorizes based on internal state, not by reading the prefix at request time.
Send the key in X-API-Key: 
curl -H "X-API-Key: $API_KEY" \
  https://api.staging.blackbird.xyz/flynet/v1/restaurants

What API keys cover

RouteAPI keyOAuth bearer
/restaurants and /restaurants/{id}RequiredReturns 401 MISSING_API_KEY
/restaurants/{id}/locationsRequiredReturns 401 MISSING_API_KEY
/locations and /locations/{id}RequiredReturns 401 MISSING_API_KEY
/locations/{id}/open_hoursRequiredReturns 401 MISSING_API_KEY
/users/me/*, /check_ins*, /memberships, /payment_intents/*Returns 401 (empty body)Required
From the kitchen - Discovery routes use the API key. Member-acting routes use OAuth. The two do not substitute for each other.
Chef’s warning - API keys are server-side only. Every call that carries an API key must originate from your backend, never from a browser, mobile client, or any code shipped to users. Don’t embed them in client-side bundles, public repos, screenshots, or environment variables checked into source. A key visible in a client is a key you have to assume is compromised. Treat them as you would a password, and route Discovery calls through your own backend rather than calling the API directly from the client.

If a key leaks

Contact Blackbird support to revoke and issue a new key. Old keys stop working immediately on revocation.

Mixing environments

Don’t reuse a key across environments. Your staging key authenticates against the staging API; your production key authenticates against the production API. They’re issued separately and aren’t substitutes for each other, regardless of the prefix you see.