Authorization

The Sitequest API uses Bearer token authentication with API keys.

API Keys

Create API keys in your Dashboard under Settings > API / MCP. Each key can be configured with a name, expiry date, and specific permission scopes.

Include your key in every request via the Authorization header:

Authorization: Bearer sq_live_xxxxx...

API keys use the prefix sq_live_ followed by a 64-character hex string.

Scopes

Each API key is assigned one or more scopes that control what it can access. Use the principle of least privilege — only grant the scopes your integration needs.

Scope	Description
`vps:read`	List servers, view status and metrics
`vps:write`	Start, stop, reboot, reinstall, mount ISO, SSH execution
`vps:manage`	Create, upgrade, and delete servers
`domains:read`	List domains and view DNS records
`domains:write`	Edit DNS records and domain settings
`domains:manage`	Register, transfer, and delete domains

When creating a key you can choose Full access (all scopes), Read only (vps:read + domains:read), or Custom (pick individual scopes).

Rate Limiting

API requests are rate-limited to 60 requests per minute per API key.

Every response includes rate limit headers:

Header	Description
`X-RateLimit-Limit`	Maximum requests allowed per window
`X-RateLimit-Remaining`	Requests remaining in the current window
`X-RateLimit-Reset`	Unix timestamp when the window resets

When the rate limit is exceeded the API returns 429 Too Many Requests.

Error Responses

Authentication errors return a JSON body:

{
  "error": "Invalid or missing API key",
  "code": "UNAUTHORIZED",
  "status": 401
}

Status	Code	Meaning
401	`UNAUTHORIZED`	Missing, invalid, revoked, or expired API key
403	`INSUFFICIENT_SCOPE`	API key lacks the required scope(s)
429	`RATE_LIMITED`	Too many requests

Security Tips

Never commit API keys to version control.
Rotate keys regularly and revoke unused ones.
Use the narrowest scopes possible.
Set an expiry date for keys used in CI/CD pipelines.