Authentication
How to authenticate requests to the apikee platform API.
Authentication
Project keys
Project keys authenticate management API calls (creating clients, issuing keys, reading logs). They start with sk_ and are created in the apikee.dev dashboard.
| Prefix | Environment |
|---|---|
sk_live_ | Production |
sk_test_ | Test / staging |
Pass the key in the request header:
x-api-key: sk_live_abc123...Or as a Bearer token:
Authorization: Bearer sk_live_abc123...Project keys are management credentials — treat them like passwords. Use environment variables, not hardcoded strings. Never expose them in client-side code or logs.
Customer keys
Customer keys are the apikee_... keys issued to your API's end users. They authenticate requests to your API, not to the apikee platform.
Customer key validation happens in the SDK middleware and (in server mode) via POST /client/{uuid}. Your customers never interact with the apikee platform API directly.
Validation endpoint
When using server mode, the SDK calls this endpoint to log and validate customer key usage:
POST /client/{client_uuid}?project_env=my-api-production&method_path=GET:/users
Content-Type: application/json
x-api-key: sk_live_...
X-Apikee-Encrypted: 1
{ "v": "1", "epk": "...", "iv": "...", "ct": "..." }The body is AES-256-GCM encrypted — the X-Apikee-Encrypted: 1 header signals the server to decrypt before processing.
Response:
{
"success": true,
"clientId": "uuid-...",
"project_env": "my-api-production",
"method_path": "GET:/users",
"durationMs": 3
}