Authentication & API Keys
Premium Sound Design for Indie Developers
API Key Creation & Management
SoundScape uses bearer tokens for stateless authentication. All requests to the /v2/assets and /v2/sync endpoints require a valid API key attached to the Authorization header.
Keys are scoped to specific projects and enforce strict rate limits. You can generate, rotate, or revoke keys directly from your dashboard under Settings > Integrations. Each key is tied to a unique client_id and never expires unless manually revoked or left inactive for 90 days. Production keys (sk_live_...) allow direct download access, while sandbox keys (sk_test_...) restrict traffic to the staging environment.
Read-Only Keys
Ideal for asset browsers and metadata queries. Limited to GET requests on /v2/assets and /v2/categories. Rate capped at 120 requests per minute per IP.
Full-Access Keys
Required for project synchronization and bulk uploads. Supports POST/PUT/DELETE operations on /v2/projects and /v2/sync. Includes webhook registration privileges.
Service Account Keys
Designed for CI/CD pipelines and headless renderers. Bypasses standard rate limits up to 500 req/min and includes automatic retry headers for transient failures.
OAuth 2.0 Flow for Team Access
Enable secure, delegated access for collaborators without sharing master credentials. SoundScape supports the standard Authorization Code flow with PKCE for public clients.
Team leads can invite members via email or generate temporary invitation links. Once authorized, users receive an access_token (valid for 1 hour) and a refresh_token (valid for 30 days). All token exchanges are routed through https://auth.soundscape.io/oauth/token and require HTTPS. Scopes are granular: assets:read, projects:write, and billing:view can be combined per integration.
Authorization Code Grant
Redirect users to https://auth.soundscape.io/authorize with your client_id and requested scopes. Capture the authorization_code and exchange it for tokens via a secure backend call.
Refresh Token Rotation
Each refresh_token is single-use. When exchanged, SoundScape issues a new access_token and a new refresh_token. Expired tokens are automatically purged from the token store after 24 hours.
Scope Validation
Applications must declare required scopes during registration. Attempting to access /v2/projects with only assets:read returns a 403 Forbidden response with a detailed scopes_required payload.
Security Guidelines & Access Control
Protect your audio assets and project data with enterprise-grade security controls. SoundScape enforces TLS 1.3 for all connections and signs webhook payloads using HMAC-SHA256.
We recommend implementing IP allowlists for production environments, enabling automatic key rotation, and monitoring the real-time audit log for unusual download patterns or failed authentication attempts. All API traffic is logged for 365 days and accessible via the /v2/audit endpoint.
IP Allowlisting
Restrict key usage to specific CIDR blocks or static IPs. Configure allowlists under Security > Network. Requests originating from unlisted addresses receive a 401 Unauthorized response.
Automatic Key Rotation
Schedule quarterly key regeneration to minimize exposure risk. SoundScape maintains a 14-day overlap window where both old and new keys remain active during migration.
Webhook Signature Verification
Validate incoming events by comparing the X-SoundScape-Signature header against a locally computed HMAC using your webhook secret. Reject payloads that fail verification within a 5-minute timestamp window.