Authentication
All Optropic API requests require authentication via API keys. This page explains how to create, use, and secure your API keys.
API Key Format
Optropic API keys follow this format:
optr_{environment}_{64_hex_characters}
optr_live_...— Production keys with real billingoptr_test_...— Test keys for development (free, rate-limited)
Example:
optr_live_7f911b66f6af3bd695b1697204787faa45e731ff5510706f
Using Your API Key
Include your API key in the x-api-key header:
curl -X POST https://api.optropic.com/api/v1/code/verify \
-H "x-api-key: optr_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "..."}'
JavaScript
const response = await fetch('https://api.optropic.com/api/v1/code/verify', {
method: 'POST',
headers: {
'x-api-key': process.env.OPTROPIC_API_KEY,
'Content-Type': 'application/json',
},
body: JSON.stringify({ url: '...' }),
});
Python
import os
import requests
response = requests.post(
'https://api.optropic.com/api/v1/code/verify',
headers={
'x-api-key': os.environ['OPTROPIC_API_KEY'],
'Content-Type': 'application/json',
},
json={'url': '...'}
)
Creating API Keys
- Log in to Optropic Studio
- Go to Settings → API Keys
- Click Create API Key
- Choose environment: Live or Test
- Add a description (e.g., "Production Backend")
- Copy the key immediately — it's shown only once
Security Best Practices
Do
- Store keys in environment variables or secret managers
- Use
optr_test_keys during development - Rotate keys periodically
- Use separate keys for different applications
Don't
- Commit keys to version control
- Include keys in client-side code (JavaScript bundles)
- Share keys between environments
- Log keys in application logs
Key Storage
We hash your API keys using SHA-256 before storing them. We cannot retrieve your original key — if you lose it, you must create a new one.
Storage Architecture
┌─────────────────────────────────────────────┐
│ Your Application │
│ │
│ API Key: optr_live_abc123... │
└─────────────────┬───────────────────────────┘
│
▼
┌─────────────────────────────────────────────┐
│ Optropic API │
│ │
│ 1. Extract key from x-api-key header │
│ 2. SHA-256 hash the key │
│ 3. Look up hash in api_keys table │
│ 4. Validate: active, not expired │
│ 5. Authorize request │
└─────────────────────────────────────────────┘
Authentication Errors
| Error Code | HTTP Status | Meaning |
|---|---|---|
MISSING_API_KEY | 401 | No x-api-key header provided |
INVALID_API_KEY | 401 | Key doesn't exist or is malformed |
EXPIRED_API_KEY | 401 | Key has passed its expiration date |
REVOKED_API_KEY | 401 | Key was manually revoked |
RATE_LIMITED | 429 | Too many requests for this key |
Example Error Response
{
"error": {
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid or does not exist"
}
}
Key Rotation
To rotate an API key:
- Create a new key in Studio
- Update your application to use the new key
- Verify the new key works
- Revoke the old key in Studio
Zero-Downtime Rotation
Optropic supports having multiple active keys per account. Add the new key to your application before revoking the old one.
Test vs. Live Keys
| Feature | Test Keys | Live Keys |
|---|---|---|
| Billing | Free | Per-request pricing |
| Rate Limits | 100/day | Per your plan |
| Code Validity | Codes expire in 24h | Permanent |
| Data | Sandbox only | Production |
Use optr_test_ keys for development and CI/CD pipelines. Switch to optr_live_ for production deployments.