API keys & authentication
Every request to the /v1 API authenticates with an API key. Keys come in
two flavors: dt_live_… for production traffic and dt_test_… for testing,
each followed by 32 alphanumeric characters. Send the key as a bearer token:
Authorization: Bearer dt_live_…You create and revoke keys from the dashboard. There’s no separate “username” — the key is the whole credential, scoped to your account.
On our side, we store only a hashed form of your key, never the key itself. That means if our database were ever exposed, an attacker couldn’t recover usable keys from it — and it also means if you lose a key, we can’t look it up or recover it for you; you have to issue a new one.
Revocation is fast but not instantaneous: a revoked key stops working within about 60 seconds. Validated keys are cached briefly (about a minute) to keep the hot path fast, so revoking a key takes effect within that window.
If a request arrives with a missing or invalid key, /v1/limit and
/v1/leases respond 401 before any rate-limit logic runs.