Authentication

All public API endpoints require authentication via an API key. Keys are prefixed with attg_live_ and are 42+ characters long. When stored, keys are SHA-256 hashed — Attend-Go never stores your plaintext key.

Include your API key in the Authorization header as a Bearer token: Authorization: Bearer attg_live_abc123def456ghi789jkl012mno345pqr

Generate keys from the Integrations page in your dashboard. Only Admins and Owners can manage API keys. Each key has a label, scope (currently 'read'), and timestamps for creation and last use. Revoke compromised keys immediately — revoked keys stop working instantly.

Currently all API keys are issued with the 'read' scope, which grants access to GET endpoints (Ping, Attendance Export). Write scopes for creating/updating data will be available in a future release.

Never expose API keys in client-side code or public repositories. Rotate keys periodically and revoke old ones. Use environment variables to store keys in your applications. Monitor the Usage dashboard to detect unusual traffic patterns.