RepDesk Help

API & Developer

Generate an API token for the public API

REST API base URL, tokens, and safe usage patterns.

Last updated 2026-04-12 2 min readOpen in app

RepDesk exposes a versioned REST API under /api/v1 on your host (for production: https://repdesk.io/api/v1). Integrations, scripts, and the Chrome extension (where applicable) authenticate with a Bearer token tied to your company—never with a password in the query string.

Full endpoint and auth reference (for developers):
Treat docs/PUBLIC_API.md in the RepDesk repository as the contract for paths, payloads, and error shapes. This help page is the operator summary.

(Screenshot — add later: My Settings → API Tokens with Create / list / revoke; blur any live token.)

Create and store tokens safely#

  1. Sign in to RepDesk in the browser.

  2. Open My Settings and find API Tokens (or the name your deployment uses).

  3. Create a named token, copy it once, and store it in a secret manager or your integration’s env vars—the UI may not show the full secret again after creation.

  4. Rotate or revoke when a teammate leaves, a laptop is lost, or a token was pasted into chat by mistake.

Never:

  • Commit tokens to git, Slack, email, or client-side browser code that users can view source on.

  • Share one token across two companies—each token is scoped to one company_id.

How to call the API#

Typical pattern:

GET https://repdesk.io/api/v1/...

Authorization: Bearer <your_api_token>

Content-Type: application/json

Some flows also accept a Supabase session from the browser; server-to-server and CLI tools should use Bearer tokens as documented in PUBLIC_API.md.

Issuing a long-lived token from a session is described there (e.g. POST /api/v1/auth/token where enabled)—follow that doc for exact headers and body.

Tenancy (multi-company)#

Every successful request runs in the context of the company attached to the token (or session). If you get empty lists or 403 responses, confirm you are using a token created while signed into the correct org, not a personal test token from another tenant.

Troubleshooting#

Symptom

Check

401 / Invalid token

Token revoked, typo, or missing Bearer prefix.

403 / wrong data

Wrong company for that token.

CORS from browser

Prefer server-side or extension calls; public browsers cannot safely hold production secrets.

For product bugs, contact support@repdesk.io with timestamp and request id if the response includes one—do not paste the raw token.

Was this helpful?