API Authentication
Sable API supports two authentication methods: User API Keys and Jetta SSO.
User API Keys
For programmatic access, use API keys generated from the Sable dashboard.
Getting a Key
- Go to Sable → Settings → User Settings → API Keys
- Click "Generate New Key"
- Copy the key (shown only once)
Using the Key
Include the key in the x-api-key header:
curl -H "x-api-key: sk_a5b6aac152e01d55066c0a1807eb4f81" \
https://sable-data.jettaintelligence.com/api/health
Key Format
Keys follow the pattern: sk_ followed by 32 hex characters.
sk_a5b6aac152e01d55066c0a1807eb4f81
Key Rotation
To rotate a compromised key:
- Generate a new key
- Update all clients
- Revoke the old key
Jetta SSO
For browser-based access, Sable uses Jetta SSO authentication via the jetta_token cookie.
How It Works
- User visits Sable
- Middleware checks for
jetta_tokencookie - If missing, redirect to
login.jettaintelligence.com - After login, cookie is set on
.jettaintelligence.com - User is redirected back, now authenticated
Cookie Details
- Name:
jetta_token - Domain:
.jettaintelligence.com - HttpOnly: true
- Secure: true
Permission Scopes
| Scope | Access |
|---|---|
read:pnl | View P&L data |
read:returns | View return calculations |
write:upload | Upload files |
admin | Full access |
Rate Limits
| Endpoint | Limit |
|---|---|
/api/returns/* | 100 req/min |
/api/storage/upload | 10 req/min |
/api/health | Unlimited |
Error Responses
401 Unauthorized
{
"error": "Invalid or expired API key"
}
Fix: Check key is correct, generate new if needed.
403 Forbidden
{
"error": "Insufficient permissions"
}
Fix: Check user has required scope, contact admin.