Authentication

Securely authenticate your API requests using API keys

Overview

Speedstein uses API keys to authenticate requests. Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

Secure by Design

All API keys are SHA-256 hashed before storage. We never store plaintext keys in our database.

API Key Format

API keys follow a structured format that includes your subscription tier:

sk_[tier]_[32-character-secret]

Free Tier

sk_free_A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6

Starter Tier

sk_starter_X9y8Z7w6V5u4T3s2R1q0P9o8N7m6L5k4

Pro Tier

sk_pro_M3n4O5p6Q7r8S9t0U1v2W3x4Y5z6A7b8

Enterprise Tier

sk_enterprise_H8i9J0k1L2m3N4o5P6q7R8s9T0u1V2w3

Using Your API Key

Pass your API key in the Authorization header using the Bearer scheme:

HTTP Header

Authorization: Bearer sk_free_YOUR_API_KEY_HERE

Example Requests

cURL

curl https://api.speedstein.com/v1/pdf/generate \
  -H "Authorization: Bearer sk_free_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"html":"<h1>Test</h1>"}'

JavaScript

const response = await fetch('https://api.speedstein.com/v1/pdf/generate', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_free_YOUR_API_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ html: '<h1>Test</h1>' })
});

Python

import requests

response = requests.post(
    'https://api.speedstein.com/v1/pdf/generate',
    headers={
        'Authorization': 'Bearer sk_free_YOUR_API_KEY',
        'Content-Type': 'application/json'
    },
    json={'html': '<h1>Test</h1>'}
)

Security Best Practices

Keep Your API Keys Secret

Never commit API keys to version control or expose them in client-side code. Use environment variables instead.

✓ Good Practice

// .env file (never commit this!)
SPEEDSTEIN_API_KEY=sk_free_YOUR_API_KEY

// app.js
const apiKey = process.env.SPEEDSTEIN_API_KEY;

✗ Bad Practice

// app.js (NEVER DO THIS!)
const apiKey = 'sk_free_A1b2C3d4E5f6G7h8I9j0K1l2M3n4O5p6';

// frontend.js (NEVER DO THIS!)
fetch('https://api.speedstein.com/v1/pdf/generate', {
  headers: { 'Authorization': 'Bearer sk_free_...' }
});

Store API keys in environment variables or secure key management systems
Never expose API keys in client-side JavaScript or mobile apps
Use different API keys for development, staging, and production
Rotate API keys regularly (every 90 days recommended)
Revoke compromised keys immediately in your dashboard
Limit API key permissions to only what's necessary

Key Management

You can create, view, and revoke API keys in your dashboard:

Dashboard Actions

Create New Keys

Generate up to 10 active keys per account

View Key Metadata

See creation date, last used timestamp, and key prefix

Revoke Keys

Instantly invalidate compromised or unused keys

Track Usage

Monitor when each key was last used

Manage API Keys

Common Authentication Errors

401 Unauthorized

Missing or Invalid API Key

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key"
  }
}

Solution: Verify your API key is correct and included in the Authorization header.

403 Forbidden

Revoked API Key

{
  "error": {
    "code": "forbidden",
    "message": "API key has been revoked"
  }
}

Solution: Create a new API key in your dashboard.

429 Too Many Requests

Rate Limit Exceeded

{
  "error": {
    "code": "rate_limit_exceeded",
    "message": "Too many requests. Please retry after 60 seconds."
  }
}

Solution: Wait for the rate limit window to reset or upgrade your plan for higher limits.

View All Error Codes