Authenticate API Requests

This guide shows you how to authenticate requests to https://api.donebear.com. When you finish, you will be able to call REST endpoints, GraphQL, and the sync transport with a bearer token or API key.

Send a bearer header

Every documented API surface uses the same header shape:

curl https://api.donebear.com/api/workspaces \
  -H "Authorization: Bearer <token>"

Use a CLI-created API key for automation

Create a key from the CLI:

donebear api-key create "CI"

Then export it:

export DONEBEAR_TOKEN=<db_key>
curl https://api.donebear.com/api/workspaces \
  -H "Authorization: Bearer $DONEBEAR_TOKEN"

API keys are the recommended credential for CI jobs and long-lived integrations.

Use a JWT for user-scoped requests

The API also accepts Supabase JWTs as bearer tokens. That is the credential type used by the CLI's interactive OAuth flow.

curl https://api.donebear.com/graphql \
  -H "Authorization: Bearer <jwt>" \
  -H "Content-Type: application/json" \
  --data '{"query":"query { viewer { id email } }"}'

Verify that auth works

Run a simple REST request:

curl https://api.donebear.com/api/workspaces \
  -H "Authorization: Bearer <token>"

Run a simple GraphQL request:

curl https://api.donebear.com/graphql \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  --data '{"query":"query { viewer { id email } }"}'

Common auth errors

Next steps

• Read REST API reference for workspace and API-key endpoints.
• Read GraphQL reference for the curated query surface.
• Read Sync API reference if you need bootstrap, deltas, or WebSocket subscriptions.