API authentication
How to authenticate against the public REST API: session cookies for the dashboard, Bearer API keys for programmatic access.
There are two ways to talk to Le Bureau. The dashboard uses a session cookie set on sign-in. Everything else -- scripts, CI jobs, third-party integrations, MCP clients -- uses an API key sent as Authorization: Bearer sk_live_.... Pick the right one for the caller; they are not interchangeable.
Session cookies (dashboard only)
Sign in with Google or GitHub and the dashboard receives a secure session cookie automatically. The cookie is httpOnly, scoped to the Le Bureau domain, and not exposed to JavaScript. It exists so the dashboard itself can call the API without juggling tokens.
Do not try to reuse this cookie from scripts, CI, or background workers. It is bound to a browser session and not designed for programmatic use. For anything outside the dashboard, create an API key.
API keys (programmatic access)
Send the key as a Bearer token in the Authorization header on every request:
curl https://lebureau.talentai.fr/v1/desktops \
-H "Authorization: Bearer sk_live_..."
Keys are managed only from the dashboard at /settings?tab=apiKeys -- there is no API to create, list, or revoke keys with another key. Each key starts with sk_live_, is hashed at rest, and is shown in plaintext exactly once at creation. Every key carries an explicit set of capabilities that decides which routes it can call. See API capabilities for the full list and how to choose them.
Rate limiting
The public API allows 60 requests per minute per key. Buckets are tracked per key, not per IP, so two separate keys running in parallel each get their own 60/min budget. If you need more headroom for an integration, split the workload across multiple keys.
When you exceed the limit, the response is 429 Too Many Requests. If a Retry-After header is present, wait that many seconds before retrying. Otherwise back off for at least a few seconds before the next call.
Authentication errors
| Status | Meaning |
|---|---|
401 Unauthorized | The Authorization header is missing, malformed, or the key is invalid or revoked |
403 Forbidden | The key is valid but lacks the capability the route requires. Body includes required and held -- see API capabilities |
429 Too Many Requests | Rate limit reached. Honour Retry-After if present |
Security practices
- Never commit keys to git, paste them in tickets, or ship them in client-side code.
- Rotate periodically by creating a new key, switching the integration over, then revoking the old one.
- Use one key per integration so revoking one does not break the others.
- Scope keys to the minimum capabilities the integration actually needs.