Authentication
The InfoLobby Public API uses OAuth 2.0 Bearer Tokens (RFC 6750). Every request must include an Authorization header.
Header format
Authorization: Bearer il_live_<your_secret>
Obtaining a key
- Log into InfoLobby as the account owner
- Go to Account → API Keys
- Click Create API Key
- Fill in:
- Name — descriptive (e.g. ProcFu data import)
- IP Whitelist (optional) — comma- or newline-separated IPs or CIDR ranges
- Workspace access — check one or more workspaces, or leave all unchecked for access to every workspace owned by the account. Leaving it unchecked also unlocks workspace-management endpoints (create / update / delete spaces). A key restricted to specific workspaces can still CRUD tables and records inside those workspaces, but cannot create new workspaces or modify/delete existing ones.
- Read only — when checked, the key cannot create, update, or delete data
- Copy the secret shown in the confirmation dialog. This is the only time it will be displayed in plaintext.
Revealing an existing secret
If you forget the secret, click Reveal next to the key in your account screen. The current plaintext value is returned (InfoLobby stores secrets encrypted at rest).
Rotating a key
Click Rotate to issue a new secret for the same key record. The old secret stops working immediately. The key's ID, name, scopes, and audit trail are preserved.
Deleting a key
Click Delete. The key is soft-deleted and all future requests using it return 401.
Example curl request
curl https://infolobby.com/api/spaces/list \
-H "Authorization: Bearer il_live_abc123..."
Personal API keys
Personal API keys authenticate as your user instead of the account owner. They inherit your workspace permissions and give you access to your notifications and tasks in addition to workspace data.
Header format
Authorization: Bearer il_user_<your_secret>
Obtaining a personal key
- Log into InfoLobby
- Go to Profile (click your avatar or name)
- Scroll to Personal API Keys
- Click Create Personal API Key
- Fill in:
- Name — descriptive (e.g. My Dashboard)
- IP Whitelist (optional) — comma- or newline-separated IPs or CIDR ranges
- Read only — when checked, the key cannot create, update, or delete data
- Copy the secret. It is shown now, and can later be revealed or rotated from the web interface.
Personal keys have the same reveal, rotate, and delete actions as account keys.
Differences from account keys
Account keys (il_live_) |
Personal keys (il_user_) |
|
|---|---|---|
| Identity | Account owner | Your user |
| Access | All account data (scoped by key settings) | Only data you can access |
| Notifications & tasks | Not available | Available |
| Who can create | Account owner | Any user |
| Rate limit | Full plan limit (shared per account) | 1/4 of plan limit (shared per user) |
Example curl request
curl https://infolobby.com/api/notifications/list \
-H "Authorization: Bearer il_user_xyz789..." \
-H "Content-Type: application/json" \
-d '{"filter": "unread", "limit": 10}'
Security notes
- API secrets are sensitive credentials. Store them in a password manager or secret store — never commit them to source control.
- InfoLobby never logs plaintext secrets.
- A lost key should be rotated or deleted, not simply replaced.
- IP whitelisting is strongly recommended for production keys.
- API keys cannot manage other API keys. Key management is only available via the web interface.