A secret token used to authenticate requests to an API.
An API key is a secret string that identifies and authenticates the application or user making requests to an API. Like a password, it should be kept private. Unlike a password, it is typically passed in request headers rather than a login form.
API keys are often used instead of user credentials for machine-to-machine communication — CLI tools, hooks, scripts, and integrations. They let you grant access to a specific service without exposing your main account password.
Most API keys support scopes — restrictions on what the key is allowed to do. A read-only key can fetch data but cannot create or modify anything. A full-access key can do everything the account allows. Using the minimum necessary scope reduces risk if a key is compromised.
If you suspect an API key has been leaked, revoke it immediately and generate a new one. Any service that was using the old key will need to be updated.
In ClockMe
ClockMe API keys start with ck_live_ and support three scopes: Read (view only), Write (start/stop timers, log time), and Full (all access including project creation). Generate keys in Settings → API Keys or in the Setup Wizard. Keys are shown once on creation — copy and store them securely. You can revoke any key from Settings without affecting other keys.
Try ClockMe free →Go to Settings → API Keys in ClockMe and revoke the exposed key immediately. Generate a new key and update any integrations that used the old one. The revoked key will stop working immediately.
Yes. ClockMe lets you create as many API keys as you need. Use separate keys per tool (Claude Code, Cursor, Chrome extension) so you can revoke individual integrations without affecting others.
A Bearer token is a type of API key. 'Bearer' refers to how it is passed in HTTP headers: Authorization: Bearer <token>. ClockMe API keys are used as Bearer tokens.