Tab

API

Authentication

The Tab API uses bearer tokens. Send your API key in an Authorization header on every request. There are no cookies, no signed-URL gymnastics, no rotating tokens — just a key.

Key prefixes

  • sk_live_… — production. Charges real money.
  • sk_test_… — sandbox. Settles on testnets, no real funds.
  • pk_… — publishable. Safe to put in a browser, only able to read public order data.

Example request

curl https://api.thetab.bar/v1/orders \
  -H "Authorization: Bearer sk_live_…"

Key scopes

Each key has a scope chosen at creation:

  • read — list and retrieve resources.
  • write — create orders, links, invoices.
  • admin — change team settings, rotate keys, manage webhooks.

Rotation

Rotate keys from the dashboard. Old keys keep working for a 24-hour grace window so you can roll without downtime.

What you shouldn't do

  • Embed an sk_ key in a browser bundle.
  • Put a key in a URL query string. Use the header.
  • Share a key over Slack. Use the dashboard's "invite" flow instead.

If a key leaks

Revoke it in the dashboard immediately. We can also revoke it for you — email security@thetab.bar with the key prefix (first eight characters) and we'll act inside an hour.

Previous

Tempo (planned)

Next

Orders