Skip to content

Authentication

The waitlist signup endpoint authenticates with a server key sent as a bearer token. The two invite endpoints are public and need no authentication.

Server keys

A server key is a secret credential scoped to a single product (waitlist) and environment. It looks like:

ck_srv_waitlist_prod_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
  • ck_srv — a secret server key (as opposed to a public ck_client key).
  • waitlist — the product it grants access to.
  • prod — the environment (prod, stg, or dev).

Send it on every authenticated request in the Authorization header:

Authorization: Bearer ck_srv_waitlist_prod_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d
bash
curl https://api.uselucerna.app/sdk/v1/waitlist/signup \
  -H "Authorization: Bearer $LUCERNA_SERVER_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "waitlistId": "wl_launch", "entries": [{ "email": "ada@example.com" }] }'
ts
const headers = {
  Authorization: `Bearer ${process.env.LUCERNA_SERVER_KEY}`,
  "Content-Type": "application/json",
};

Getting and rotating a key

Open the dashboardWaitlist → API to copy your server key. From the same screen you can rotate it: rotating revokes the old key immediately and issues a new one, so update your environment variables before rotating in production.

Keep server keys secret

A server key can write to your waitlist, so treat it like a password:

  • Only use it from your backend. Never embed it in a web page, mobile app, or any client that ships to users.
  • Store it in an environment variable (e.g. LUCERNA_SERVER_KEY), not in source control.
  • Rotate it if it's ever exposed.

If you need to collect signups directly from a browser without a backend, proxy the request through a small server-side endpoint of your own that holds the key.

Public invite endpoints

Validating and accepting an invite code require no key. They act on a single, revocable invite code rather than your account, so they're safe to call from a browser-side join page. Don't send your server key to these endpoints.

Errors

A missing or invalid server key on the signup endpoint returns 401:

json
{ "code": "unauthorized", "message": "Missing or invalid server key" }

See Errors for the full list.

Lucerna Waitlist API