Managing API Keys
Learn what API keys are, how to create one, and best practices for keeping them secure.
What Is an API Key?
An API key is a unique, secret token that authenticates your identity and authorizes your requests when you communicate with the Skytells API. Every interaction with the platform — whether through the REST API, an official SDK, the Playground, or a third-party integration — requires a valid API key linked to your Skytells account.
Your API key serves two critical purposes:
- Identification — It tells the platform which account is making the request, so usage and billing are attributed correctly.
- Authorization — It determines what resources you can access based on your account's plan and permissions.
API keys are scoped to your user account. If you're part of a team, each member should generate their own keys so that activity can be tracked individually.
API Key Format
Skytells API keys are prefixed strings that look like this:
sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxThe sk- prefix helps you quickly identify Skytells keys in your environment. The remainder is a cryptographically random string — never attempt to construct or guess a key.
Managing API Keys
Where to Find the API Keys
The API Keys page is located in the SkytellsDashboard under the API Keys section.
Creating a New API Key
In the API Keys page, you can create a new API key by clicking the Generate New API Key button. You will be prompted to enter a name for your new API key. This name will be used to identify the API key in the dashboard. Once you have entered a name, click the Generate API Key button to create the new API key. The new API key will be displayed on the page. You can copy the API key by clicking the Copy button.
Sign in to your account
Go to skytells.ai/auth/signin and log in with your credentials. If you don't have an account yet, create one first.
Open the API Keys page
Navigate to Dashboard → API Keys. This is where all your keys are listed, along with their names, creation dates, and last usage timestamps.
Generate a new key
Click "Generate New API Key" and give it a descriptive name that reflects its purpose. Good naming examples:
Production — Backend ServerDevelopment — Local TestingCI/CD PipelineMobile App — iOS
Copy your key immediately
Your full API key is displayed only once at the moment of creation. Copy it and store it in a secure location (e.g., a password manager or encrypted secrets vault) before closing the dialog.
You will not be able to view the full API key again after creation. If you lose it, revoke the old key and generate a new one.
Managing Existing Keys
From the API Keys dashboard you can:
- View key metadata — name, creation date, and the timestamp of the last request made with that key.
- Revoke a key — Immediately invalidate a key. Any request using a revoked key will receive a
401 Unauthorizederror. This action cannot be undone. - Create additional keys — There is no hard limit on the number of keys you can create. Use this to separate concerns across environments and services.
API Key Security
Never share your API key publicly, commit it to version control, or embed it in client-side code (browsers, mobile apps, SPAs).
Your API key is equivalent to a password. Anyone who has it can make requests on your behalf — and you will be billed for that usage. Follow these principles to keep your keys safe:
- Each API key is tied to your account — all usage, including costs, is attributed to you.
- Revoke keys immediately if you suspect they've been exposed. You can do this from Dashboard → API Keys.
- The platform tracks last usage of every key. Review this regularly to spot unexpected activity.
- Use separate keys per environment — one for development, one for staging, one for production. If a dev key leaks, your production systems remain unaffected.
- Rotate keys periodically — even without a suspected breach, periodic rotation limits the window of exposure.
Best Practices
| Do | Don't |
|---|---|
| Store keys in environment variables or a secrets manager | Hard-code keys in source files |
| Use separate keys per environment | Reuse one key everywhere |
| Rotate keys on a regular schedule | Keep the same key indefinitely |
| Revoke keys you're no longer using | Leave old, unused keys active |
| Keep keys server-side only | Expose keys in frontend / client-side code |
Use .gitignore to exclude .env files | Commit .env files to your repository |
What to Do If a Key Is Compromised
Revoke the key immediately
Go to Dashboard → API Keys and revoke the compromised key. This takes effect instantly.
Generate a replacement
Create a new key and update your application configuration with the new value.
Audit recent usage
Check your Dashboard for any unexpected predictions or charges during the window the key was exposed.
Scrub from version control
If the key was committed to a repository, remove it from the history. Changing the key alone isn't enough — the old value remains in git history.
Storing Your API Key
The recommended way to use your API key is through environment variables. This keeps the secret out of your codebase entirely.
Setting the Environment Variable
export SKYTELLS_API_KEY="sk-your-api-key-here"Using It in Code
import { createClient } from 'skytells';
const client = createClient(process.env.SKYTELLS_API_KEY);Production Secrets Management
For production deployments, consider using a dedicated secrets manager instead of plain .env files:
| Platform | Secrets Solution |
|---|---|
| AWS | AWS Secrets Manager or SSM Parameter Store |
| Google Cloud | Secret Manager |
| Vercel | Environment Variables (encrypted) |
| Docker / Kubernetes | Kubernetes Secrets or Docker Secrets |
| CI/CD | Pipeline-level encrypted variables |
Using Your API Key in Requests
Pass the API key in the x-api-key header with every request:
curl https://api.skytells.ai/v1/predictions \
-H "x-api-key: sk-your-api-key-here"import { createClient } from 'skytells';
const client = createClient(process.env.SKYTELLS_API_KEY);
// The SDK attaches the x-api-key header automatically
const models = await client.listModels();How is this guide?