The Alga PSA API uses API keys. Include your key in the X-API-Key header on every request. Requests with a missing or invalid key are rejected with 401 Unauthorized.
In your Alga PSA instance, create a key from Profile → API Keys. API keys authenticate as the user who created them, so they inherit that user's permissions. Keep the key in a secret manager; you should assume you cannot view the full value again after it leaves the dialog.
If you want the product walkthrough, see Set up API keys in Alga PSA.
Include the key in the X-API-Key header:
curl https://algapsa.com/api/v1/boards \
-H "X-API-Key: $ALGA_API_KEY"Treat API keys like long-lived credentials. Create dedicated keys for each integration, avoid sharing them between systems, and keep the underlying user's permissions limited to the resources that integration actually needs.
Authentication failures return a JSON envelope describing what went wrong:
401 — missing or invalid API key.403 — key is valid but lacks the required scope for this endpoint.