API Keys

Creating a key

On /dashboard/keys, click Create new key. Give it a label that describes where the key will live (e.g. production-api, staging-batch-job, ci-tests). Labels are required and unique per-account — they help when you have multiple keys and need to rotate one.

The full key value (e.g. vk_live_abc123def456...) is shown once at creation. Copy it immediately to your secrets manager (env vars, AWS Secrets Manager, Doppler, etc.). Keys cannot be retrieved later — only the prefix and suffix are stored for display.

Storage best practices

• Never commit keys to git. Use .env + .gitignore, or a dedicated secrets manager.
• Don't expose keys in client-side code. If you need browser-side rating reads, proxy through your backend.
• One key per environment. Don't share a "production" key across staging — that's how staging mistakes nuke production budgets.
• Rotate every 90 days. Create the new key, deploy it, then revoke the old. Zero downtime.

Rotation

To rotate a key without downtime: create a new key with a new label, deploy it to production, verify traffic is using the new key (the dashboard's Usage page shows per-key request counts), then revoke the old key.

Revocation

Click the trash icon next to a key on /dashboard/keys, then confirm. Revoked keys return 401 Unauthorized on every subsequent request — propagation is instant. Revocation is permanent; the same key string cannot be re-enabled.

Key limits

Each account can have up to 5 active keys. This headroom lets you separate environments (production / staging / CI) and rotate without downtime. Per-tier key limits are on the roadmap; until they ship, all tiers share the 5-key cap. Reach out to support@verdict.finance if you need a higher cap before then.

Authentication header format

Every authenticated API call must include the header:

Authorization: Bearer vk_live_yourkeyhere

Missing or malformed header returns 401 Unauthorized. See Errors & Troubleshooting for the full error-response shape.