Authentication
Every API request is authenticated with a bearer key:
Authorization: Bearer dg_your_key_here
Requests without a valid key are rejected with 401 Unauthorized — see
Errors.
Keys
Create API keys under API keys in the Customer Console.
- Keys start with
dg_. Add this prefix to your secret-scanning rules. - The full key is shown when created and can be revealed later by its owner. Treat the key as a secret.
- Keys authenticate the workspace, but each key has an owner. A key you create is private to you by default — teammates don't see it in their key list — so your organization can tell who is using the API. Workspace admins and organization owners can create a workspace-shared key that every member sees and can use; shared keys are convenient for getting started, but you lose per-person visibility, so we recommend each person create a private key. In either case, all usage draws on the workspace's shared credit balance and there are no per-key limits.
- Label your keys. One key per app or environment (
prod-backend,staging,cli-tools) simplifies rotation and incident response.
Rotating and revoking
From the Console you can:
- Rotate a key — a replacement is minted and the old key is revoked in one step. Update your deployment with the new value.
- Revoke a key — it stops working and cannot be recovered.
Creating, rotating, and revoking keys can take up to one minute to take effect. During that interval, an old key may still work and a new key may not work yet.
For a planned, zero-downtime change, create a second key, verify it, update the deployment, and then revoke the old key. If a key may be compromised, rotate or revoke it immediately and account for the one-minute change window.
Handling keys well
- Keep keys server-side where you can. Load them from environment variables or your secret manager, never from source control.
- Calling from a browser is supported. A key embedded in a public web page can be read and reused by anyone. For public applications, proxy Celeris calls through your backend. See Making requests.
- Prefer private keys. Give each person and each app its own unshared key so usage stays attributable. Use a workspace-shared key only when the application requires a credential shared by the workspace.
- Rotate on departure. Rotate shared keys when someone with production access leaves your team, and revoke or rotate any keys the departing person created.