Skip to main content

Authentication

Every API request is authenticated with a bearer key:

Authorization: Bearer dg_your_key_here

Requests without a valid key are rejected with 401 Unauthorized — see Errors.

Keys

Create API keys under API keys in the Customer Console.

  • Keys start with dg_. Add this prefix to your secret-scanning rules.
  • The full key is shown when created and can be revealed later by its owner. Treat the key as a secret.
  • Keys authenticate the workspace, but each key has an owner. A key you create is private to you by default — teammates don't see it in their key list — so your organization can tell who is using the API. Workspace admins and organization owners can create a workspace-shared key that every member sees and can use; shared keys are convenient for getting started, but you lose per-person visibility, so we recommend each person create a private key. In either case, all usage draws on the workspace's shared credit balance and there are no per-key limits.
  • Label your keys. One key per app or environment (prod-backend, staging, cli-tools) simplifies rotation and incident response.

Rotating and revoking

From the Console you can:

  • Rotate a key — a replacement is minted and the old key is revoked in one step. Update your deployment with the new value.
  • Revoke a key — it stops working and cannot be recovered.

Creating, rotating, and revoking keys can take up to one minute to take effect. During that interval, an old key may still work and a new key may not work yet.

For a planned, zero-downtime change, create a second key, verify it, update the deployment, and then revoke the old key. If a key may be compromised, rotate or revoke it immediately and account for the one-minute change window.

Handling keys well

  • Keep keys server-side where you can. Load them from environment variables or your secret manager, never from source control.
  • Calling from a browser is supported. A key embedded in a public web page can be read and reused by anyone. For public applications, proxy Celeris calls through your backend. See Making requests.
  • Prefer private keys. Give each person and each app its own unshared key so usage stays attributable. Use a workspace-shared key only when the application requires a credential shared by the workspace.
  • Rotate on departure. Rotate shared keys when someone with production access leaves your team, and revoke or rotate any keys the departing person created.