Authentication
All API requests are authenticated with a bearer token sent in the Authorization header.
API key format
API keys are prefixed to indicate their type:
| Prefix | Type |
|---|---|
| sk_live_ | Live key — use in production |
| sk_test_ | Test key — identical behavior, flagged separately in usage logs |
Both key types screen against the same live data. Test keys are useful during integration to keep test traffic separated in your usage logs.
Authorization header
Pass your key as a bearer token:
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxMissing or malformed headers return 401 unauthorized. Revoked or invalid keys return the same error — no distinction is made to prevent enumeration.
Plan access
API access requires a paid plan (Starter or higher). Free-tier keys return 403 forbidden with code forbidden.
{
"error": {
"code": "forbidden",
"message": "Your plan does not include API access. Upgrade to Starter or higher.",
"request_id": "req_abc123"
}
}Rotating keys
- Go to Dashboard → API Keys and create a new key.
- Update your application config or secrets manager with the new key.
- Deploy and verify traffic is flowing through the new key.
- Revoke the old key from the dashboard.
You can have multiple active keys simultaneously, which makes zero-downtime rotation straightforward.
Security best practices
- Never commit API keys to source code or version control.
- Store keys in environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).
- Use
sk_test_keys during development so test traffic is clearly separated. - Revoke keys immediately if they are exposed or compromised.
- Create separate keys for each service or environment.