Skip to content

API keys & authentication

Every request to the /v1 API authenticates with an API key. Keys come in two flavors: dt_live_… for production traffic and dt_test_… for testing, each followed by 32 alphanumeric characters. Send the key as a bearer token:

Authorization: Bearer dt_live_…

You create and revoke keys from the dashboard. There’s no separate “username” — the key is the whole credential, scoped to your account.

On our side, we store only a hashed form of your key, never the key itself. That means if our database were ever exposed, an attacker couldn’t recover usable keys from it — and it also means if you lose a key, we can’t look it up or recover it for you; you have to issue a new one.

Revocation is fast but not instantaneous: a revoked key stops working within about 60 seconds. Validated keys are cached briefly (about a minute) to keep the hot path fast, so revoking a key takes effect within that window.

If a request arrives with a missing or invalid key, /v1/limit and /v1/leases respond 401 before any rate-limit logic runs.