Authentication
How API keys work — environments, rotation, revocation.
Every protected request must include the X-API-Key header.
Key format
Keys look like:
envislivefor production traffic ortestfor SANDBOX.- Only the first 12 characters (
gdk_live_xxxx) are shown in the dashboard after creation — the full key is displayed once at create time. Save it somewhere safe.
Internally we store only a SHA-256 hash of the key, so we can never recover the raw value if you lose it.
Plan limits
Each plan has a maximum number of active keys:
| Plan | Active keys |
|---|---|
| FREE | 2 |
| PRO | 10 |
| ENTERPRISE | unlimited |
Revoked keys do not count toward the limit.
Environments
| Environment | When to use |
|---|---|
LIVE | Production traffic, billed against your plan. |
SANDBOX | Testing and CI. Same routes, isolated quota counters. |
Rotation
Treat keys like passwords. Rotate periodically by creating a new key, deploying it, then revoking the old one. There is no expiry by default — you control the lifecycle from the API keys page.
Revocation
Revoking a key sets isActive = false server-side. The Redis cache for that
key is invalidated immediately, so the next request returns 401 REVOKED_API_KEY
within seconds.
Demo endpoint (no key)
The landing page exposes /v1/demo/suggest, an unauthenticated route that's
IP-rate-limited at 30 requests/minute. Use it for marketing demos only —
production traffic must use a real key.