Documentation

Start Here

IntroductionCore ConceptsHow It Works1. Create Your App2. Add to Ring3. Test Gestures4. Send a Vibe

Apps

App TypesLifecycleDeveloper Info

Gestures

Receiving GesturesResponding

Vibes

PatternsTriggeringRing UIUse Cases

Webhooks

Event TypesPayload StructureVerificationLocal Dev

Connect

How It WorksIdentifiersSetupToken ExchangeSecurity

Submissions

Before SubmittingHow to SubmitReview CriteriaAfter Approval

API Reference

Authentication/apps/vibes/installs/users

Recipes

Claude AI Agent SkillSetup PromptCLAUDE.md SetupExamples

Authentication

All API requests to ARKH require authentication using an API key. Your API key identifies your developer account and grants access to your apps and resources.

Getting an API Key

Create API keys in the API Keys section of your developer dashboard. You can create multiple keys for different environments (development, staging, production).

Good to Know

API keys are only shown once when created. Store them securely and never commit them to version control or expose them in client-side code.

Using Your API Key

Include your API key in the Authorization header of every request:

Authorization Header

curl -X GET "https://developer.arkh.com/api/apps" \
  -H "Authorization: Bearer arkh_xxxxxxxxxxxxx"

The key format is arkh_ followed by a random string. Keys are prefixed to help identify them in logs and configuration files.

Security Best Practices

  • Never expose keys in client-side code — API keys should only be used in server-side applications or secure backend services.
  • Use environment variables — Store keys in environment variables, not in your codebase.
  • Rotate keys regularly — Create new keys periodically and revoke old ones.
  • Use separate keys per environment — Create different keys for development, staging, and production.
  • Monitor usage — Check your API key activity in the dashboard to detect unauthorized access.

Webhooks

Webhooks are outbound requests from ARKH to your server, so they don't require API key authentication. Instead, webhooks are signed with HMAC-SHA256 using your webhook secret so you can verify they came from ARKH.

See the Webhooks documentation for details on verifying webhook signatures.

Authentication Errors

If authentication fails, the API returns a 401 Unauthorized response:

Error Response

{
  "error": "unauthorized",
  "message": "Invalid or missing API key"
}

Error

Cause

401

Missing or invalid API key

403

Valid key but insufficient permissions for this resource