Skip to content

Authentication

Every request needs an API key in the X-API-Key header.

GET /backend-api/api/public/v1/projects HTTP/1.1
Host: app.autonomiq.de
X-API-Key: smk_live_q3z7m...

Token format

Live keys: smk_live_<40 base32 chars>.

The plaintext is shown exactly once on creation. SimplyMill stores only an argon2id hash. A lost key cannot be recovered; revoke and mint a new one.

Minting a key

Mint and manage keys from the SimplyMill web app:

  1. Sign in at app.autonomiq.de.
  2. Open Settings → API keys in the sidebar.
  3. Click Create new key, enter a memorable name (e.g. "Production integration"), and confirm.
  4. Copy the plaintext key. This is the only time it will be displayed, so store it in your secrets manager immediately.

Keys minted from this page grant full access to your account (every scope listed below). The list view shows each key's name, prefix, creation date, and last-used timestamp so you can track usage.

Scopes

Every public endpoint declares the scopes it requires (x-required-scopes in OpenAPI). Keys with missing scopes are rejected with 403. Keys minted via the web app hold the full set, so this matters mostly when you understand which capabilities a given key needs to be authorised for.

Scope Grants
projects:read List projects, fetch tasks.
projects:write Create / delete projects.
cam:write Upload workpieces, set stock, postprocess.
automation:run Start automated CAM planning.
quote:read Read cost breakdowns.
quote:write Override pricing, MHR, setup costs, per-user defaults.
quote:export Download CSV / Excel quotes.
equipment:read List holders, tools, assemblies.
equipment:write Create / update / delete equipment.
libraries:read List machines / materials / equipment libraries.
webhooks:write Register and revoke webhook endpoints.

Revoking a key

In Settings → API keys, click Revoke next to the key you want to disable. Revocation is effective within ~60 seconds (positive auth results are cached in Redis with a 60s TTL). Any integration still using the revoked key will start receiving 401 Unauthorized once the cache expires.