docs: Document Authorization: Bearer header for HTTP API auth

claudespice · lukekim · commit 6ffc124c2d0d · 2026-05-20T01:36:22.000+09:00
HTTP routes now accept the API key in either `X-API-Key` or `Authorization: Bearer ${api_key}`. The Bearer scheme matching is case-insensitive. When both headers are present `X-API-Key` takes precedence. Source: spiceai/spiceai#10911
diff --git a/website/docs/api/auth/index.md b/website/docs/api/auth/index.md
@@ -36,7 +36,7 @@ The API key authentication is applied on startup and changes will not take effec
 
 ## HTTP
 
-For HTTP routes, the API key is expected to be included in the `X-API-Key` header.
+For HTTP routes, the API key can be supplied in either the `X-API-Key` header or the `Authorization: Bearer ${ api_key }` header. The `Bearer` scheme is matched case-insensitively. If both headers are present, `X-API-Key` takes precedence.
 
 ```bash
 > curl -i "http://localhost:8090/v1/sql" -H "X-API-Key: 1234567890" -d 'SELECT 1'
@@ -50,6 +50,12 @@ date: Fri, 08 Nov 2024 07:14:24 GMT
 [{"Int64(1)":1}]
 ```
 
+Or using `Authorization: Bearer`:
+
+```bash
+> curl -i "http://localhost:8090/v1/sql" -H "Authorization: Bearer 1234567890" -d 'SELECT 1'
+```
+
 The `/health` and `/v1/ready` endpoints are not protected and can be accessed without an API key.
 
 ## Flight SQL
