Chameleon

API Keys

Manage API keys for programmatic access

API Keys

Learn how to create, manage, and use API keys for programmatic access to Chameleon services.

Overview

API keys allow you to access Chameleon services programmatically without going through the web interface. You can create multiple keys for different applications, revoke them when needed, and use them to authenticate API requests.

Creating API Keys

Access API Key Management

  1. Sign in to your account
  2. Go to /api-keys in the user center
  3. Click Create New Key
  4. Enter a descriptive name for your key
  5. Click Create

API Key Information

When you create a new API key:

  • A unique key is generated (shown only once)
  • The key is hashed and stored securely in the database
  • You can set a custom name for identification
  • Keys don't expire automatically

Using API Keys

Basic API Call

const response = await fetch("https://your-domain.com/api/endpoint", {
  method: "POST",
  headers: {
    "X-API-Key": "your-api-key-here",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    // Your request data
  }),
});

const data = await response.json();

Using with cURL

curl -X POST "https://your-domain.com/api/endpoint" \
  -H "X-API-Key: your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{"key": "value"}'

Python Example

import requests

headers = {
    "X-API-Key": "your-api-key-here",
    "Content-Type": "application/json"
}

response = requests.post(
    "https://your-domain.com/api/endpoint",
    headers=headers,
    json={"key": "value"}
)

data = response.json()

JavaScript/Node.js Example

const axios = require('axios');

const response = await axios.post('https://your-domain.com/api/endpoint', {
  key: 'value'
}, {
  headers: {
    'X-API-Key': 'your-api-key-here',
    'Content-Type': 'application/json'
  }
});

console.log(response.data);

API Key Management

Viewing API Keys

In the API Keys page, you can see:

  • Key name (custom identifier)
  • Creation date
  • Last used date
  • Status (active/revoked)

Revoking API Keys

  1. Go to /api-keys
  2. Find the key you want to revoke
  3. Click the Revoke button
  4. Confirm the action

Note: Revoked keys cannot be restored. You'll need to create a new key.

Best Practices

  • Use descriptive names - Name your keys based on their purpose (e.g., "Mobile App", "Webhook Service")
  • Rotate keys regularly - Create new keys and revoke old ones periodically
  • Store keys securely - Never commit API keys to version control
  • Use environment variables - Store keys in environment variables, not in code
  • Monitor usage - Check the "Last used" date to identify unused keys

Security

Key Storage

  • API keys are hashed using bcrypt before storage
  • Original keys are never stored in the database
  • Keys are shown only once during creation

Access Control

  • API keys provide access to the same resources as the user account
  • Keys inherit the user's permissions and restrictions
  • Admin users can access admin endpoints with their API keys

Rate Limiting

API requests using keys are subject to rate limiting:

  • Standard users: 100 requests per minute
  • Premium users: 500 requests per minute
  • Admin users: 1000 requests per minute

File Locations

  • src/app/[locale]/(console)/api-keys/page.tsx - API keys management page
  • src/app/[locale]/(console)/api-keys/create/page.tsx - Create new API key
  • src/models/api-key.ts - API key data model
  • src/services/api-key.ts - API key business logic
  • src/middleware/auth.ts - API key authentication middleware

Common Tasks

Create API Key for Mobile App

  1. Go to /api-keys
  2. Click Create New Key
  3. Name it "Mobile App"
  4. Copy the generated key
  5. Store it securely in your mobile app

Create API Key for Webhook

  1. Go to /api-keys
  2. Click Create New Key
  3. Name it "Webhook Service"
  4. Use the key in your webhook configuration
  5. Test the webhook connection

Revoke Compromised Key

  1. Go to /api-keys
  2. Find the compromised key
  3. Click Revoke
  4. Create a new key to replace it
  5. Update your applications with the new key

Check API Key Usage

  1. Go to /api-keys
  2. Look at the "Last used" column
  3. Identify unused keys
  4. Consider revoking unused keys

Troubleshooting

API key not working

Problem: API requests return 401 Unauthorized

Solution:

  1. Check the API key is correct
  2. Verify the key hasn't been revoked
  3. Ensure the X-API-Key header is included
  4. Check for typos in the key

Key not found

Problem: API returns "API key not found"

Solution:

  1. Verify the key exists in your account
  2. Check if the key was revoked
  3. Ensure you're using the correct key
  4. Try creating a new key

Rate limit exceeded

Problem: API returns 429 Too Many Requests

Solution:

  1. Check your request frequency
  2. Implement exponential backoff
  3. Consider upgrading your account
  4. Optimize your API usage

Next Steps