API Keys
Create, configure, and manage API keys from your dashboard.
API keys authenticate your requests to the API. You manage them entirely from the dashboard: set a category, restrict usage with rolling quotas, add an expiry date, and monitor activity per key through request logs.
For how to include a key in a request, see the Introduction.
Creating a key
Fill in the fields
Give the key an alias (unique label for your own reference), pick a category, and optionally configure quotas and an expiry date.
Copy the secret
After saving, the secret is shown once. Copy it immediately and store it in an environment variable. It cannot be retrieved again.
Key fields
| Field | Description |
|---|---|
| Alias | Unique label per account. Shows up in logs and dashboard filters. |
| Category | Organizational tag (see Categories). Has no effect on API behavior. |
| Active | Enables or disables the key. Inactive keys are rejected immediately with 401 Inactive API Key. |
| Expires | Optional date after which the key stops working. Leave blank for no expiry. |
| Request quotas | Optional per-key caps on rolling time windows (see Per-key quotas). |
Categories
Categories tag keys for your own organization. They appear in dashboard filters and analytics but do not change how the API processes a request.
| Category | Typical use |
|---|---|
production | Live traffic, customer-facing systems |
development | Local development and testing |
staging | Pre-production and CI environments |
| Custom | Any free-text label, e.g. sandbox, partner-acme |
Keep one key per environment so you can revoke or rotate it independently.
Per-key quotas
Each key can have independent hard caps on request volume, enforced on rolling windows (not calendar boundaries):
| Quota | Window |
|---|---|
| Total | All-time: the key is blocked permanently once reached |
| Daily | Last 24 hours (rolling, not midnight-to-midnight) |
| Weekly | Last 7 days (rolling) |
| Monthly | Last 30 days (rolling) |
Leave a field blank to apply no cap for that window. When a quota is reached, the API returns 401 Rate Limit Exceeded with the quota name in the message:
{ "error": "Rate limit exceeded: quota total" }{ "error": "Rate limit exceeded: quota daily" }{ "error": "Rate limit exceeded: quota weekly" }{ "error": "Rate limit exceeded: quota monthly" }Quota counts are aggregated from request logs and cached for up to 24 hours. Enforcement is accurate within that window, not to the exact request.
Per-key quotas are distinct from plan-level rate limits (per-second and per-minute caps that apply account-wide). Plan limits return 429 Too Many Requests. See Error Handling for details.
Expiry
Set an expiry date on keys used in scripts, CI pipelines, or partner integrations. Once the date passes, the API returns:
{ "error": "Expired API Key" }HTTP status 401. Create and deploy a replacement key before the expiry date to avoid any downtime.
Request logs
Every request made with a key is recorded under API Keys → Logs in the dashboard. Each entry shows:
| Field | Description |
|---|---|
| Endpoint | HTTP method and path |
| Status | Response status code |
| Duration | Time to first byte (ms) |
| IP | Caller IP address |
| Credits | Credits charged for this request |
Use logs to audit activity per key, debug unexpected errors, or identify traffic from compromised keys.
Deactivating vs. deleting
| Action | Effect |
|---|---|
| Deactivate | Key is blocked immediately. Usage history and settings are kept. Can be reactivated. |
| Delete | Permanently removes the key and its configuration. Only possible if the key has never been used. |
Prefer deactivation over deletion. If a key has request history, it cannot be deleted. The history is retained for billing and auditing.
Rotating a key
Create the replacement
Go to dashboard → API Keys → New and create a new key with the same category and quota settings. Give it a new alias to distinguish it.
Deploy the new key
Update the environment variable in every system that uses the old key and redeploy.
Deactivate the old key
Set the old key to inactive in the dashboard. This blocks any remaining requests without removing its history.
Error reference
| Error | Status | Cause |
|---|---|---|
Invalid API Key | 401 | Key not found or malformed |
Inactive API Key | 401 | Key is disabled |
Expired API Key | 401 | Key has passed its expiry date |
Rate limit exceeded: quota … | 401 | Per-key rolling quota reached |
exceeded the … rate limit on your subscription | 429 | Plan-level per-second or per-minute cap |
IP temporarily blocked | 403 | Too many failed auth attempts from the same IP |
See also: Best Practices for security guidelines and Glossary for term definitions.