The Qoder Cloud Agents API uses Personal Access Tokens (PATs) for authentication. Every API request must include a valid PAT in the HTTP headers.Documentation Index
Fetch the complete documentation index at: https://docs.qoder.com/llms.txt
Use this file to discover all available pages before exploring further.
Obtaining a PAT
- Sign in to the Qoder console.
- Open Settings → API Tokens.
- Click Create token and configure the name and scopes.
- Copy the generated token. The full value is shown only once—store it securely.
PATs are prefixed with
pt-, e.g. pt-your-token-here. Never commit tokens to source control or share them publicly.Bearer header format
Pass the PAT in theAuthorization header of every request as a bearer token:
Full request example
Environment variable (recommended)
Store the PAT as an environment variable to avoid hard-coding:Difference from x-api-key
| Method | Header format | When to use |
|---|---|---|
| Bearer Token | Authorization: Bearer <PAT> | Recommended. Used for all Cloud Agents API calls. |
x-api-key | x-api-key: <key> | Legacy or third-party integrations. Not supported by the Cloud Agents API. |
The Cloud Agents API only accepts
Authorization: Bearer. Requests using x-api-key return 401 authentication_error.Troubleshooting authentication failures
Common errors
| HTTP status | Error type | Likely cause |
|---|---|---|
| 401 | authentication_error | PAT is invalid, expired, or malformed |
| 403 | permission_error | PAT is valid but lacks access to the target resource |
401 error response example
Troubleshooting steps
- Confirm the PAT has not expired or been revoked.
- Check that the request uses
Authorization: Bearer, notx-api-key. - Verify the
Bearerprefix is spelled correctly (case and spacing). - Confirm the environment variable is exported.
Security recommendations
- Use separate PATs for development, staging, and production.
- Rotate tokens regularly.
- Apply least-privilege scopes when issuing tokens.
- Revoke any leaked token immediately from the console.