Authentication

The Extend API authenticates every request with a Bearer token. Create an API key from your Developer settings, then send it with each request — directly in the Authorization header, or by passing it once to an SDK client.

Authenticate a request

The recommended approach is to store your key in the EXTEND_API_KEY environment variable so it stays out of source control:

$ export EXTEND_API_KEY="YOUR_API_KEY"

Every SDK reads EXTEND_API_KEY automatically, so you can create a client with no arguments.

With the raw API, set the Authorization header on every request. Direct API calls must also include the x-extend-api-version header — the SDKs pin the version for you.

$ curl https://api.extend.ai/extractors \
>   -H "Authorization: Bearer $EXTEND_API_KEY" \
>   -H "x-extend-api-version: 2026-02-09"

Prefer to manage the key yourself? Pass it explicitly when you create the client — Extend(token="YOUR_API_KEY") in Python, new ExtendClient({ token: "YOUR_API_KEY" }) in TypeScript, .apiKey("YOUR_API_KEY") on the Java builder, or option.WithToken("YOUR_API_KEY") in Go. An explicit key always overrides the environment variable.

API key scopes

Every key is scoped to either a single workspace or your whole organization:

Workspace keys — Work only for the workspace they belong to. Nothing else is required.
Organization keys — Work across every workspace in your organization. Each request must set the X-Extend-Workspace-Id header to name the target workspace, and only organization admins can create them.

For an organization key, send the workspace header alongside your token:

$ curl https://api.extend.ai/extractors \
>   -H "Authorization: Bearer YOUR_API_KEY" \
>   -H "x-extend-api-version: 2026-02-09" \
>   -H "X-Extend-Workspace-Id: ws_xxx"