markerapi Authentication: Methods, Credentials & Security (2026)

Authentication overview

markerapi, a tool designed for website bug reporting and visual feedback, manages user authentication primarily through two mechanisms: API keys for server-side integrations and browser extension permissions for client-side operations. This dual approach ensures that both automated workflows and direct user interactions are securely managed. For direct API access, markerapi emphasizes integrations with existing project management tools, where API keys facilitate secure data exchange without exposing user credentials directly to third-party applications.

The system is built to support efficient collaboration by enabling users to capture and annotate screenshots directly from their browsers, then securely submit reports to connected platforms like Jira, Trello, Asana, and Slack. The underlying authentication mechanisms are designed to maintain data integrity and user privacy, aligning with compliance standards such as GDPR. Users are responsible for managing their API keys, which serve as unique identifiers for their workspace when interacting with integrated services.

Supported authentication methods

markerapi supports authentication methods tailored to its operational model, which combines browser-based visual feedback with backend integration capabilities. The primary methods include API keys and browser extension permissions, each serving distinct purposes within the markerapi ecosystem.

API Key Authentication

Purpose: API keys are used for authenticating server-to-server communications, particularly when markerapi integrates with external project management, CRM, or communication platforms. These keys grant programmatic access to specific functionalities within the markerapi workspace, allowing for automated data synchronization and workflow triggers.

Mechanism: When configuring an integration with a service like Jira or Trello, users typically provide an API key generated from their markerapi workspace. This key acts as a unique identifier and authorization credential, allowing the integrated service to securely exchange information with markerapi. The API key is usually sent in the request header or as part of the request payload, depending on the specific integration's requirements.

Security Considerations: API keys are long-lived tokens and should be treated with the same level of security as passwords. Best practices for API key management include restricting their scope, rotating them regularly, and avoiding hardcoding them directly into client-side codebases. The Open Web Application Security Project (OWASP) provides guidance on secure API key handling, emphasizing server-side storage and secure transmission channels for these credentials.

Browser Extension Permissions

Purpose: For client-side operations, such as capturing screenshots, adding annotations, and submitting feedback directly from a web page, markerapi relies on permissions granted to its browser extension. This method ensures that the extension can interact with the user's browser environment and access the markerapi service without requiring explicit API key management by the end-user for every interaction.

Mechanism: Upon installation, the markerapi browser extension requests specific permissions (e.g., to access website data, capture screenshots). Once granted by the user, these permissions allow the extension to perform its core functions securely within the browser context. The extension then communicates with the markerapi backend using internal authentication tokens, which are typically managed automatically by the extension and the markerapi service.

Security Considerations: Users should only install browser extensions from trusted sources and carefully review the permissions requested. Modern browsers provide mechanisms for managing extension permissions, allowing users to revoke access if necessary. Browser extension security is a critical aspect of web application security, with organizations like Google providing detailed developer guidelines for Chrome extension security best practices.

Here is a summary of the authentication methods:

Getting your credentials

To access and manage your markerapi credentials, including API keys for integrations, you will need to navigate to your workspace settings within the markerapi dashboard. The process typically involves:

1. Logging In: Access your markerapi account through the official homepage at marker.io using your registered username and password.
2. Navigating to Workspace Settings: Once logged in, locate the 'Settings' or 'Workspace Settings' section, often accessible via a gear icon or your profile menu.
3. Finding API Keys or Integrations: Within the settings, look for a section related to 'Integrations', 'API Keys', or 'Developers'. This is where you can generate new API keys or view existing ones. For specific instructions, refer to the markerapi integrations documentation.
4. Generating a New API Key: If you need a new API key, there will typically be an option to 'Generate New Key' or a similar function. Follow the prompts, and make sure to copy the key immediately upon generation, as it may not be visible again for security reasons.
5. Managing Browser Extension: For the browser extension, credentials are typically handled automatically after installation and user login within the extension itself. You can manage the extension's permissions directly from your browser's extension management page.

Always store your API keys securely and never share them publicly. If an API key is compromised, revoke it immediately from your markerapi dashboard and generate a new one.

Authenticated request example

While markerapi primarily uses API keys for server-side integrations with popular project management tools rather than direct public API access, an authenticated request typically involves including the API key in the HTTP request headers. The exact implementation depends on the specific integration you are configuring. However, conceptually, it follows a standard pattern for API key authentication.

For instance, if you were setting up an integration with a tool like Trello, and markerapi needed to authenticate with Trello's API, the request might look like this (illustrative, as markerapi handles outbound authentication to integrated services):

POST /api/v1/cards HTTP/1.1
Host: api.trello.com
Authorization: OAuth oauth_consumer_key="YOUR_TRELLO_KEY", oauth_token="YOUR_TRELLO_TOKEN"
Content-Type: application/json

{
  "name": "Bug Report from Marker.io",
  "desc": "Detailed bug description from screenshot",
  "idList": "YOUR_TRELLO_LIST_ID"
}

In a scenario where an external service (e.g., a custom webhook) sends data to markerapi and requires authentication, markerapi would likely expect a specific API key in the request header or query parameters. The markerapi documentation on integrations provides specific configuration details for each supported platform, guiding users on how to properly authenticate these connections.

For browser extension functionality, authentication is session-based and handled internally by the extension after the user logs into their markerapi account. There isn't a direct API request example for client-side interactions as the browser extension abstracts this away from the end-user.

Security best practices

Securing your markerapi account and integrations is crucial for protecting sensitive feedback and project data. Adhering to established security best practices can mitigate risks associated with credential compromise and unauthorized access.

• Strong, Unique Passwords: Always use strong, unique passwords for your markerapi account. Employ a combination of uppercase and lowercase letters, numbers, and symbols. Avoid reusing passwords across different services.
• Two-Factor Authentication (2FA): If markerapi offers 2FA, enable it immediately. 2FA adds an extra layer of security by requiring a second verification step, such as a code from a mobile authenticator app, in addition to your password. This significantly reduces the risk of unauthorized access even if your password is stolen.
• API Key Management:
  • Limit Scope: Only grant API keys the minimum necessary permissions. Avoid creating keys with broad access if only specific functionalities are required.
  • Secure Storage: Never hardcode API keys directly into client-side code, public repositories, or unsecured configuration files. Store them in secure environment variables, secret management services, or encrypted configuration stores.
  • Regular Rotation: Periodically rotate your API keys. If a key is compromised, rotating it ensures that the old key becomes invalid, preventing further misuse.
  • Restrict Origins: If possible, configure API keys to only accept requests from specific IP addresses or domains. This limits the attack surface if a key is exposed.
• Browser Extension Security:
  • Install from Official Sources: Only download and install the markerapi browser extension from official browser stores (e.g., Chrome Web Store, Firefox Add-ons).
  • Review Permissions: Carefully review the permissions requested by the extension during installation. Understand what data the extension can access and why.
  • Keep Updated: Ensure your browser and all extensions are kept up-to-date. Updates often include security patches for newly discovered vulnerabilities.
• Principle of Least Privilege: Grant users and integrations only the permissions they absolutely need to perform their tasks. Regularly review access levels and revoke privileges that are no longer required.
• Monitor for Suspicious Activity: Regularly review activity logs within your markerapi account and integrated services for any unusual or unauthorized actions.
• Secure Development Practices: When developing custom integrations or webhooks, follow secure coding practices to prevent vulnerabilities like injection attacks or cross-site scripting (XSS) that could lead to credential exposure. The Mozilla Developer Network's web security documentation offers comprehensive guidance on secure web development.