Skip to main content
API keys are available on the Enterprise plan. See pricing for details.

Base URL

All API requests are made to: 
https://api.dronebundle.com/v1
For requests that include a body (POST, PATCH), set the Content-Type header to application/json.

API keys

DroneBundle uses API keys to authenticate requests. Each key is tied to a specific workspace, so all resources you create or access through the key belong to that workspace. API keys use the prefix v1_ and are passed as a Bearer token in the Authorization header. 
curl -X GET https://api.dronebundle.com/v1/projects \
  -H "Authorization: Bearer v1_your_api_key_here"

Creating an API key

  1. Log in to your DroneBundle dashboard
  2. Click Create API Key
  3. Give the key a name (e.g., “n8n Integration”, “Internal Dashboard”)
  4. Select a scope
  5. Copy the key and store it somewhere safe
The full key is only shown once. If you lose it, you will need to create a new one.

Scopes

Each API key has a scope that controls what it can do:
ScopeAllowed methodsDescription
read_onlyGETCan only read data. Any POST, PATCH, or DELETE request will be rejected.
full_accessGET, POST, PATCH, DELETECan read and write data.

Rate limits

The API allows up to 1000 requests per minute. Requests that exceed this limit will be rejected.

Error responses

When authentication fails, the API returns a 403 status code with a JSON body explaining the reason. Invalid or missing key 
{
  "message": "Invalid API key",
  "code_name": "invalid_api_key"
}
Inactive key 
{
  "message": "API key is not active",
  "code_name": "api_key_inactive"
}
Read-only key used for a write operation 
{
  "message": "API key has read-only access",
  "code_name": "read_only_access"
}
Enterprise plan required 
{
  "message": "API keys require an Enterprise plan",
  "code_name": "enterprise_required"
}
Endpoint not available via API key 
{
  "message": "API key access not allowed for this endpoint",
  "code_name": "api_key_path_not_allowed"
}
API keys grant access to your workspace data. Keep them secure and never expose them in client-side code or public repositories.