Authentication
Bearer-token auth. One key per environment, multiple keys per account.
Bearer tokens
All API calls must include an Authorization header:
Authorization: Bearer rk_live_YOUR_KEYKeys are 36-character strings prefixed with rk_live_ (production) or rk_test_ (sandbox, when available).
Where to get a key
- Sign up or sign in
- Go to API Keys in the dashboard
- Click Create new key; the key is shown once
Keys are hashed at rest. We cannot recover a lost plaintext key — rotate it instead.
Rotating keys
Create a new key, deploy it, then revoke the old. Revocation takes effect within 60 seconds. There is no rate limit on key creation.
Multiple keys per account
You can create up to 10 active keys per organization. Each key is independently revokable. Common patterns:
- One key per service (production-app, batch-cron, ci-tests)
- One key per developer (rotate when someone leaves)
- One key per customer (if you're reselling)
Scopes
Keys default to read access. Future scopes (write access for refresh-on-demand, admin access for org management) ship later. Today there is one effective scope.
Errors
| Status | Meaning |
|---|---|
401 | Missing or malformed bearer token |
403 | Key revoked, expired, or out of quota |
429 | Per-minute throttle exceeded |
402 | Account past due (paid plan only) |
OAuth (coming Phase 2)
OAuth 2.0 / OpenID Connect for SaaS integrators ships with the dashboard's OAuth-app feature in mid-2026. Until then, all auth is API-key.
Storing keys securely
- Never commit keys to git. Use environment variables or a secret manager.
- Don't put keys in browser-side code. They are server-only.
- For MCP setup, the env-var pattern is preferred over inline config.