Authentication
Every request is authenticated with an API key. Two equivalent forms:
# Header (recommended)
curl https://rasterkit.com/v1/usage -H "x-api-key: rk_live_..."
# Bearer token
curl https://rasterkit.com/v1/usage -H "authorization: Bearer rk_live_..."Key types
| Prefix | Purpose |
|---|---|
rk_live_ | Production. Counts against your quota. |
rk_test_ | Development/staging. Same behavior, easier to recognize and rotate. |
Security model
- Keys are shown once at creation and stored as SHA-256 hashes — we cannot recover a lost key, only issue a new one.
- Each key has a separate signing secret used for signed URLs and webhook signatures; revealing a signed URL never reveals your API key.
- Revoke keys instantly from the dashboard; revocation propagates within 30 seconds.
- Never ship an API key in client-side code — use signed URLs for browser embeds instead.