Skip to main content

Introduction

The Copera Public API supports two authentication methods: Personal Access Tokens and Integration API Keys. Each method is suited to different use cases. All API requests must include a valid token in the Authorization header using the Bearer scheme.

Personal Access Tokens

Personal Access Tokens (PATs) allow you to authenticate as yourself when calling the API. They are prefixed with cp_pat_.

Generating a Token

  1. Open your Workspace Settings.
  2. Navigate to Integrations.
  3. Select the Personal Tokens tab.
  4. Click Create new token.
  5. Set a name and expiration date (maximum 1 year).
  6. Copy the token immediately — it appears only once.

Characteristics

  • Workspace-scoped — each token is tied to a specific workspace.
  • Acts as your identity — API requests made with a PAT are attributed to you.
  • Has an expiration — tokens expire after the configured duration, up to a maximum of 1 year.

Example Request

GET https://api.copera.ai/public/v1/docs/tree
Authorization: Bearer cp_pat_your_token_here

Integration API Keys

Integration API Keys are the existing method for authenticating bots and integrations. They are prefixed with cp_key_.

Characteristics

  • Bot identity — requests are attributed to the integration, not a specific user.
  • Used for boards and channels — designed for interacting with board and channel endpoints.
  • Requires explicit permissions — the integration must be granted access to specific resources.
See Getting Started for instructions on creating an integration and generating an API key.

When to Use Which

MethodPrefixBest for
Personal Access Tokencp_pat_Scripts, CI pipelines, personal automation acting as yourself
Integration API Keycp_key_Bots, integrations with a separate identity
Use Personal Access Tokens when you want API calls to be attributed to your user account — for example, managing documents or running personal automations. Use Integration API Keys when you need a separate bot identity that operates independently from any specific user.

Security Best Practices

  • Store tokens securely — use environment variables or secret managers, never hardcode tokens in your application.
  • Set short expiration dates — use the shortest practical expiration for your use case.
  • Rotate tokens regularly — generate new tokens periodically and revoke old ones.
  • Never commit tokens to source control — add token files to .gitignore and use CI/CD secrets management.
  • Use the minimum required scope — only request the permissions your integration needs.