API Keys
Create and manage API keys to authenticate requests to your DYPAI backend.
Overview
API keys provide a simple way to authenticate machine-to-machine communication:
- Server-to-server integrations
- Backend services
- CI/CD pipelines
- Third-party integrations
Never expose API keys in client-side code. Use them only in server environments.
Creating API Keys
Navigate to Settings
Go to your project settings and select "API Keys".
Click Create Key
Click "Create API Key" to generate a new key.
Configure Key
Set a name, description, and optionally an expiration date.
Copy Key
Copy the generated key immediately. It won't be shown again.
Store your API key securely. Once created, the full key is never displayed again.
Key Types
| Type | Permissions | Use Case |
|---|---|---|
| Public (anon) | Read-only, limited | Client-side projects (with RLS) |
| Service Role | Full access, bypass RLS | Backend services, admin tasks |
| Custom | Configurable | Third-party integrations |
Using API Keys
Include your API key in the request headers:
// JavaScript/TypeScript
const response = await fetch('https://your-project.dypai.io/api/v1/users', {
method: 'GET',
headers: {
'Content-Type': 'application/json',
'X-API-KEY': 'your-api-key-here'
}
});With cURL
curl -X GET \
'https://your-project.dypai.io/api/v1/users' \
-H 'Content-Type: application/json' \
-H 'X-API-KEY: your-api-key-here'With Python
import requests
response = requests.get(
'https://your-project.dypai.io/api/v1/users',
headers={
'Content-Type': 'application/json',
'X-API-KEY': 'your-api-key-here'
}
)
data = response.json()Environment Variables
Store API keys in environment variables:
# .env file (never commit to git!)
DYPAI_API_KEY=your-api-key-here
# Use in code
const apiKey = process.env.DYPAI_API_KEY;Add
.env to your .gitignore to prevent accidentally committing secrets.Key Permissions
Configure granular permissions for custom keys:
{
"permissions": {
"database": {
"users": ["read"],
"posts": ["read", "write"],
"comments": ["read", "write", "delete"]
},
"storage": {
"avatars": ["read", "write"],
"documents": ["read"]
},
"functions": ["execute"]
}
}Rate Limiting
API keys have configurable rate limits:
| Plan | Default Limit |
|---|---|
| Free | 100 requests/minute |
| Pro | 1,000 requests/minute |
| Enterprise | Custom |
// Rate limit headers in response
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1704067200Revoking Keys
Revoke API keys immediately if compromised:
- Go to project settings β API Keys
- Find the key to revoke
- Click "Revoke" and confirm
Revoking a key immediately invalidates all requests using that key.
Key Rotation
Regularly rotate API keys for security:
- Create a new API key
- Update your applications to use the new key
- Verify everything works with the new key
- Revoke the old key
Security Best Practices
- Never expose keys in client-side code or public repositories
- Use environment variables or secret managers
- Rotate keys regularly (every 90 days recommended)
- Use the minimum permissions necessary
- Monitor key usage for anomalies
- Revoke unused or compromised keys immediately