Lymo uses Bearer token authentication. Every API request must include your API key in the Authorization header. Requests without a valid key are rejected with a 401 error.
Getting your API key
You create and manage API keys from the Lymo dashboard at api.lymo.jp.
Navigate to Settings > API Keys
Open the Settings menu and select API Keys.
Click Create API Key
Click the Create API Key button. Give the key a descriptive name so you can identify it later.
Copy and store your key securely
Copy the key immediately and save it somewhere secure. The full key is only shown once — if you lose it, you will need to revoke it and create a new one.
Using your API key
Pass your API key as a Bearer token in the Authorization header of every request.
curl -H "Authorization: Bearer YOUR_API_KEY" https://api.lymo.jp/plants
Never expose your API key in client-side code or commit it to version control. Anyone with your key can make authenticated requests on your behalf.
Authentication errors
The API returns the following status codes when a request fails authentication.
| Status | Meaning |
|---|
401 Unauthorized | The API key is missing or invalid. |
403 Forbidden | The API key is valid but does not have permission to perform the requested action. |
401 response body looks like this:
{
"error": 401,
"message": "Unauthorized: invalid or missing API key"
}
Authorization header is present, correctly formatted as Bearer YOUR_API_KEY, and that the key has not been revoked.
Rotating your API key
If your key is compromised or you want to issue a new one, revoke the old key from Settings > API Keys in the dashboard, then create a replacement. The old key stops working immediately, so update your integration before revoking.
Store your API key in an environment variable such as API_KEY=your_key and reference it in your code rather than hard-coding the value. This keeps secrets out of your source code and makes rotation easier.
