Skip to content

docs(auth): support standard authorization headers and fix typos#52

Open
OluwaseunOlajide wants to merge 2 commits into
booqable:masterfrom
OluwaseunOlajide:fix/auth-header-security
Open

docs(auth): support standard authorization headers and fix typos#52
OluwaseunOlajide wants to merge 2 commits into
booqable:masterfrom
OluwaseunOlajide:fix/auth-header-security

Conversation

@OluwaseunOlajide

Copy link
Copy Markdown

Overview

While reviewing the API onboarding flow, I noticed the Authentication guide currently instructs users to pass their API keys as URL query parameters (?api_key=API_KEY_HERE).

This is an operations security (OPSEC) risk for teams doing security reviews, as credentials passed via URLs are frequently leaked in plain text across routing infrastructure, reverse proxies, and server logs. Furthermore, modern network security constraints and SSL/TLS terminators (like Cloudflare) can occasionally flag or drop these requests entirely.

Changes Made

  • Security Hardening: Updated the primary cURL example to use standard HTTP headers (--header 'Authorization: Bearer API_KEY_HERE'), ensuring tokens are securely encrypted within the request metadata.
  • Verification: Validated via production server testing that the backend infrastructure natively handles and processes standard Authorization: Bearer headers correctly without requiring any middleware modifications.
  • Syntax & Proofreading: Corrected several technical spelling and grammar issues in the immediate paragraphs (e.g., 'authentification' -> 'authentication', 'recieve' -> 'receive').

Let me know if the engineering team requires any adjustments!

Copilot AI review requested due to automatic review settings June 25, 2026 20:46

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Authentication section of the API docs to discourage insecure API-key-in-URL usage and move toward standard Authorization: Bearer headers.

Changes:

  • Updated the primary curl authentication example to send the API key via an Authorization: Bearer header.
  • Adjusted the example URL formatting (currently introduces a Markdown-link formatting issue inside the code block).
Comments suppressed due to low confidence (1)

source/index.html.md:75

  • The paragraph immediately below the updated example still instructs users to authenticate via the ?api_key=... query parameter, which contradicts the new Authorization: Bearer header example (and the PR description). It also contains typos (“on” -> “one”, “recieve” -> “receive”).
  --header 'Authorization: Bearer API_KEY_HERE'

You authenticate to the Booqable API by providing on of your API keys in the request.
This can be done by appending ?api_key=API_KEY_HERE to the end of your request URL.

</details>



---

💡 <a href="/booqable/api-documentation/new/master?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.

Comment thread source/index.html.md Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 25, 2026 20:50

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

source/index.html.md:75

  • The example now uses an Authorization header, but the following text still instructs users to pass the API key as a URL query parameter and contains typos ("on of", "recieve"). This is inconsistent and continues to encourage an insecure pattern. Also consider updating other examples that still use api_key in the URL (e.g. source/includes/_customers.md:83) to keep the docs consistent.
  --header 'Authorization: Bearer API_KEY_HERE'

You authenticate to the Booqable API by providing on of your API keys in the request.
This can be done by appending ?api_key=API_KEY_HERE to the end of your request URL.

</details>

Comment thread source/index.html.md
Comment on lines 69 to +71
curl --request GET \
--url 'https://company.booqable.com/api/1/customers?api_key=API_KEY_HERE'
--url 'https://company.booqable.com/api/1/customers' \
--header 'Authorization: Bearer API_KEY_HERE'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants