Authentication
All Drafted API requests require an API key passed as a Bearer token.
Creating an API key
- Open the Drafted dashboard
- Go to Settings → Developer
- Click Create API key
- Give the key a name (e.g.
monday-integrationorci-pipeline) - Select the required scopes (see below)
- Copy the key — it is shown once only
API keys use the prefix dk_live_.
Sending the key
Include the key in the Authorization header on every request:
Authorization: Bearer dk_live_YOUR_KEY
Example:
curl https://app.drafted.li/api/external/v1/teams \
-H "Authorization: Bearer dk_live_YOUR_KEY"
Scopes
| Scope | Required for |
|---|---|
missions:write | Creating missions (POST /missions) |
missions:read | Reading mission status and results (GET /missions, GET /missions/{id}) |
teams:read | Listing teams (GET /teams) |
position-packages:read | Listing position packages (GET /position-packages) |
A key with missions:write automatically includes missions:read.
Rotating a key
warning
Rotating a key immediately revokes the old one. Update all integrations that use the key before rotating.
- Go to Settings → Developer
- Find the key and click Rotate
- Copy the new key and update your integrations
Security best practices
- Never commit API keys to source control. Use environment variables or a secrets manager.
- Use one key per integration so you can revoke a single key without affecting others.
- Restrict scopes to the minimum required for each key.
Rate limits
| Endpoint type | Limit |
|---|---|
Read (GET) | 120 requests / minute per key |
Write (POST) | 30 requests / minute per key |
When you exceed a limit, the API returns 429 Too Many Requests with a Retry-After header indicating when you can retry.
Rate limit headers are included on every response:
| Header | Description |
|---|---|
X-RateLimit-Limit | Your limit for this window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |