Authentication
All requests to the Optimaite API must be authenticated using an API key. API keys are scoped to a specific workspace and carry a set of permissions.
API Keys
Creating an API Key
- Navigate to Workspace Settings > API Keys in Optimaite Law
- Click Create API Key
- Give it a descriptive name (e.g., "CRM Integration")
- Select the scopes (permissions) the key needs
- Click Generate Key
- Copy the key immediately -- it is shown only once
API keys are secrets. Store them securely (environment variables, secret managers) and never commit them to version control. If a key is compromised, revoke it immediately.
Authenticating Requests
Include your API key in the Authorization header as a Bearer token:
Authorization: Bearer opt_live_abc123def456ghi789
Every request must include this header. Requests without a valid key receive a 401 Unauthorized response.
Key Prefixes
opt_live_-- Live (production) keyopt_test_-- Test key (uses sandbox data)
Scopes
API keys are scoped to limit which resources they can access. When creating a key, you select one or more scopes:
| Scope | Description |
|---|---|
cases:read | Read case data |
cases:write | Create and update cases |
cases:delete | Delete cases |
parties:read | Read party/contact data |
parties:write | Create and update parties |
parties:delete | Delete parties |
documents:read | Read document metadata |
documents:write | Upload and update documents |
documents:delete | Delete documents |
deadlines:read | Read calendar events and deadlines |
deadlines:write | Create and update deadlines |
calendar:read | Read calendar events and scheduling |
calendar:write | Create events and manage scheduling |
invoices:read | Read invoice data |
invoices:write | Create and update invoices |
Follow the principle of least privilege. Only request the scopes your integration actually needs. You can always create multiple API keys with different scopes for different use cases.
Managing API Keys
Listing Keys
Navigate to Workspace Settings > API Keys to see all active keys, their scopes, last used date, and creation date.
Rotating Keys
To rotate a key without downtime:
- Create a new API key with the same scopes
- Update your integration to use the new key
- Verify the integration works with the new key
- Revoke the old key
Revoking Keys
Click Revoke next to any key in the API Keys settings page. Revocation is immediate -- all requests using that key will receive 401 Unauthorized.
Error Responses
| Status | Code | Meaning |
|---|---|---|
| 401 | AUTH_INVALID_KEY | API key is missing, malformed, or revoked |
| 401 | AUTH_EXPIRED_KEY | API key has expired |
| 403 | AUTH_INSUFFICIENT_SCOPE | Key does not have the required scope for this endpoint |
| 403 | AUTH_TENANT_INACTIVE | Workspace subscription is not active |
Next Steps
- Rate Limits -- Understand request quotas
- Cases API -- Start making requests