docs-mintlify/api-reference/authentication.mdx
How you authenticate depends on which API you call. The REST management API
(/api/v1/…) uses an API key; the SCIM API (/api/scim/v2/…) uses a bearer
token. Both are sent in the Authorization header, and only HTTPS is accepted.
/api/v1)Authenticate deployment, report, and workbook requests with an API key from your
Cube Cloud account, sent with the Api-Key prefix:
Authorization: Api-Key <YOUR_API_KEY>
Generate an API key (access token) in your Cube Cloud account settings.
curl --request GET \
--url 'https://<tenant>.cubecloud.dev/api/v1/deployments' \
--header 'Authorization: Api-Key <YOUR_API_KEY>'
The REST API also accepts a Bearer prefix for OAuth access tokens, for
integrations built on Cube Cloud's OAuth flow:
Authorization: Bearer <YOUR_OAUTH_ACCESS_TOKEN>
Bearer here authenticates an OAuth access token, not your API key — the two
are validated differently. Send API keys with the Api-Key prefix; a Cube Cloud
API key sent as Bearer will be rejected. (SCIM is the exception — see below.)
/api/scim/v2)Authenticate user and group provisioning requests with a SCIM bearer token, configured in your identity provider's SCIM integration:
Authorization: Bearer <YOUR_SCIM_TOKEN>
The SCIM API requires the Bearer prefix because identity providers (Microsoft
Entra ID, Okta, and others) send credentials this way per
RFC 7644. The SCIM token is a
Cube Cloud API key, so Api-Key <YOUR_SCIM_TOKEN> is also accepted here.
Generate a SCIM token in your Cube Cloud account settings, then configure it in your identity provider alongside the base URL.
curl --request GET \
--url 'https://<tenant>.cubecloud.dev/api/scim/v2/Users?count=100&startIndex=1' \
--header 'Authorization: Bearer <YOUR_SCIM_TOKEN>'
Treat API keys and SCIM tokens like passwords — they grant full access to your account's resources. Store them securely and rotate them if they are exposed.
</Warning>A 401 Unauthorized response means the credential is missing, malformed, or
expired.