Developer Docs

Authentication

How to generate and use a Bearer API key for the LearningStudioAI public API. Paid plan required.

The LearningStudioAI API authenticates every request with a per-user API key sent as a bearer token. Keys are tied to a single user account and require an active paid plan.

Generating a key

  1. Sign in to your LearningStudioAI account.
  2. Open Account → API key.
  3. Click Generate.
  4. Copy the ls_... value immediately — we only display it once.

The key is hashed at rest (sha256). Once you close the dialog, the raw value is gone. If you lose it, regenerate.

Using your key

Send the key in the Authorization header on every request, prefixed with Bearer:

curl https://learningstudioai.com/api/v1/courses \
  -H "Authorization: Bearer ls_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{ "subject": "Onboarding for new hires" }'

That's the only auth header. The Bearer token is the sole credential.

Plan requirements

API access requires an active paid plan. Requests from accounts on the free plan return:

{ "message": "API access requires a paid plan", "code": "PAID_PLAN_REQUIRED" }

with HTTP 403. The plan check runs on every request, so a key stops working the moment the account is downgraded and starts working again the moment it's upgraded.

Rotating a key

Each user has a single active key. Clicking Regenerate mints a new key and atomically revokes the previous one.

To rotate without downtime:

  1. Generate the new key in a staging environment.
  2. Verify your integration works against it.
  3. Deploy the new key to production.
  4. Regenerate in the dashboard (the previous key stops working at this point).

Revoking a key

Click Revoke on the API key card. The key stops working immediately.

Key format

API keys look like ls_<random>. The ls_ prefix is stable and useful for secret-scanning tools (GitHub, Gitleaks, etc.) — configure them to flag committed ls_ strings.

Security notes

  • Treat keys like passwords. Never commit them to source control or expose them in client-side code.
  • Use environment variables. LEARNINGSTUDIO_API_KEY is a sensible name.
  • Store hashed copies, not raw. If your platform persists keys for multiple tenants, store the sha256 hash.
  • Revoke on suspicion. Faster than investigating.