Authentication
Every request to the JobTactics Public API is authenticated with a personal API key tied to your JobTactics account. Keys are bearer credentials — treat them like passwords and never embed them in client-side code.
1. Generate a key
- Sign in to app.jobtactics.io.
- Open Settings → API keys.
- Click Create a new key, give it a recognizable name, and copy the value shown once. You won’t be able to read it again — only its preview (first / last characters) is stored.
Keys always start with the prefix jt_sk_. The full string is required for every request.
2. Send the key
Pass the key as a bearer token in the Authorization header:
Authorization: Bearer jt_sk_your_key_hereExample with curl:
curl https://api.jobtactics.io/api/v1/public/credits/balance \
-H "Authorization: Bearer jt_sk_your_key_here"Example with fetch:
const response = await fetch(
"https://api.jobtactics.io/api/v1/public/credits/balance",
{
headers: {
Authorization: `Bearer ${process.env.JOBTACTICS_API_KEY}`,
},
},
);3. Error responses
| Status | Meaning |
|---|---|
| 401 Unauthorized | Missing, malformed, or revoked key. Check the header value and confirm the key is still active. |
| 402 Payment Required | Insufficient credits for this operation. Top up at app.jobtactics.io/credits. |
| 403 Forbidden | The endpoint requires a resource you do not own (e.g. a premium template you have not purchased). |
| 429 Too Many Requests | Rate limit hit — slow down and retry with exponential back-off. |
4. Rotation and revocation
You can revoke a key at any time from Settings → API keys. Revocation takes effect within a few seconds. Treat any leaked key as compromised:
- Revoke the leaked key immediately.
- Generate a new one with a different name.
- Update every consumer that referenced the old key.
5. Usage tracking
Each key tracks usage_count and last_used_at — visible in your dashboard. You will receive an
email alert when a single key crosses the platform-wide high-usage threshold within a 24-hour
window. This signal is one of the primary controls for detecting key leaks early.
6. Things to keep in mind
- Server-side only. Never ship a key in a mobile app, browser bundle, or anything that runs on end-user devices. Use a backend proxy.
- Per-user scope. A key authenticates as the user who created it — every request consumes that user’s credits and writes to that user’s resources. There is no service-to-service / org-scoped key today.
- No JWT, no refresh. Public API endpoints do not accept JWT access tokens. JWTs are reserved for the dashboard frontend.
- Single auth scheme. API keys are the only accepted credential on
/public/*endpoints. There is no API key support on internal endpoints.
Need help? Reach out at support@jobtactics.io.