Authentication
The waitlist signup endpoint authenticates with a server key sent as a bearer token. The two invite endpoints are public and need no authentication.
Server keys
A server key is a secret credential scoped to a single product (waitlist) and environment. It looks like:
ck_srv_waitlist_prod_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6dck_srv— a secret server key (as opposed to a publicck_clientkey).waitlist— the product it grants access to.prod— the environment (prod,stg, ordev).
Send it on every authenticated request in the Authorization header:
Authorization: Bearer ck_srv_waitlist_prod_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6dcurl https://api.uselucerna.app/sdk/v1/waitlist/signup \
-H "Authorization: Bearer $LUCERNA_SERVER_KEY" \
-H "Content-Type: application/json" \
-d '{ "waitlistId": "wl_launch", "entries": [{ "email": "ada@example.com" }] }'const headers = {
Authorization: `Bearer ${process.env.LUCERNA_SERVER_KEY}`,
"Content-Type": "application/json",
};Getting and rotating a key
Open the dashboard → Waitlist → API to copy your server key. From the same screen you can rotate it: rotating revokes the old key immediately and issues a new one, so update your environment variables before rotating in production.
Keep server keys secret
A server key can write to your waitlist, so treat it like a password:
- Only use it from your backend. Never embed it in a web page, mobile app, or any client that ships to users.
- Store it in an environment variable (e.g.
LUCERNA_SERVER_KEY), not in source control. - Rotate it if it's ever exposed.
If you need to collect signups directly from a browser without a backend, proxy the request through a small server-side endpoint of your own that holds the key.
Public invite endpoints
Validating and accepting an invite code require no key. They act on a single, revocable invite code rather than your account, so they're safe to call from a browser-side join page. Don't send your server key to these endpoints.
Errors
A missing or invalid server key on the signup endpoint returns 401:
{ "code": "unauthorized", "message": "Missing or invalid server key" }See Errors for the full list.