API Keys

API keys authenticate direct backend requests. If you’re calling the API through the dashboard proxy (/api/proxy), your client does not need to send a key.

Use an API key (direct backend)

Include your API key in the X-API-Key header:

Direct backend example

curl "https://YOUR_BACKEND_DOMAIN/snapshot" \
  -H "X-API-Key: your-api-key"

Proxy mode (recommended for demos/investors)

The dashboard proxy signs requests server-side with a short-lived token, so the browser never sees a long-lived API key:

Dashboard proxy example

curl "https://YOUR_DASHBOARD_DOMAIN/api/proxy/snapshot"

Key rotation guidance

Rotate keys on a schedule (monthly/quarterly) for production customers.
Revoke keys immediately if you suspect compromise.
Never embed keys in client-side bundles; prefer the proxy pattern for frontends.