Authentication

The Dessert API authenticates every request with a bearer token. Keys are scoped to a single account; each account currently maps to one brand.

Key format

API keys start with the dsrt_live_ prefix followed by 40 hexadecimal characters:

dsrt_live_1f9c83bd6c4a2e7081ba9d5e4f2c1a30

We store only a SHA-256 hash of your key plus the last four characters (for the …1a30 portal preview). The plaintext key is shown once at creation — copy it immediately. If you lose it, rotate to a new one (see below).

Where to find your key

1. Sign in at app.dessert.dev.
2. Open Settings → API keys.
3. Click Create key. Save the value returned — it's the only time you'll see it in full.

Sending the key

Send the key as a Bearer token in the Authorization header on every request:

curl https://api.dessert.dev/v1/balance \
  -H "Authorization: Bearer $DESSERT_API_KEY"

import os, requests

requests.get(
    "https://api.dessert.dev/v1/balance",
    headers={"Authorization": f"Bearer {os.environ['DESSERT_API_KEY']}"},
)

await fetch("https://api.dessert.dev/v1/balance", {
  headers: { Authorization: `Bearer ${process.env.DESSERT_API_KEY}` },
});

Storing keys safely

Use environment variables or a secret manager:

• Local dev: put it in a .env file that's listed in .gitignore. Load with dotenv or similar.
• Cloud Run / Lambda / Vercel: use the platform's secret store (Secret Manager, SSM, encrypted env vars).
• Browser: never call the Dessert API directly from a browser. Proxy through your own backend.

Rotating a key

Open Settings → API keys, click Rotate. You'll be shown a new key immediately, and the old key is revoked within five minutes. Update your secret manager before the cutover.

Errors

See the full Errors reference for the response envelope and every code.