Authentication
Secure your API requests with API key authentication
Overview
The Pixelsuite API uses API key authentication to secure protected endpoints. Each request to a protected endpoint must include a valid API key in the request headers.
Obtaining an API Key
API keys are managed by your system administrator. To request an API key:
- Contact your account manager or system administrator
- Provide your use case and required access level
- Receive your API key securely (never shared via email)
- Store your API key securely (treat it like a password)
Security Warning: Never commit API keys to version control or share them publicly.
Always store them in environment variables or secure configuration files.
Making Authenticated Requests
Using the Authorization Header (Recommended)
Include your API key as a Bearer token in the Authorization header:
curl -X GET https://api.pixelsuite.com.au/v1/client \
-H "Authorization: Bearer YOUR_API_KEY"Using the X-API-Key Header
Alternatively, you can use the X-API-Key header:
curl -X GET https://api.pixelsuite.com.au/v1/client \
-H "X-API-Key: YOUR_API_KEY"Using Query Parameter (Not Recommended)
For testing purposes only, you can pass the API key as a query parameter:
curl -X GET "https://api.pixelsuite.com.au/v1/client?api_key=YOUR_API_KEY"
Note: Query parameter authentication should only be used for testing.
In production, always use header-based authentication to prevent API keys from being logged.
Authentication Errors
Missing API Key (401)
If you forget to include an API key:
{
"success": false,
"message": "Authentication Required",
"error": {
"message": "No API key provided",
"code": 401
}
}Invalid API Key (401)
If your API key is invalid, expired, or inactive:
{
"success": false,
"message": "Invalid Authentication",
"error": {
"message": "Invalid or inactive API key",
"code": 401
}
}Rate Limit Exceeded (429)
If you exceed your rate limit:
{
"success": false,
"message": "Rate Limit Exceeded",
"error": {
"message": "Rate limit exceeded",
"code": 429
}
}API Key Management
Key Properties
Each API key has the following properties:
- Name: Descriptive name for the key (e.g., "Production App", "Mobile Client")
- Active Status: Keys can be activated or deactivated
- Expiration: Optional expiration date for temporary access
- Rate Limit: Custom rate limit (default: 1000 requests/hour)
- Usage Tracking: Last used timestamp and total request count
Best Practices
- Use separate API keys for different environments (dev, staging, production)
- Rotate API keys periodically (every 90 days recommended)
- Revoke unused or compromised keys immediately
- Monitor usage patterns for unusual activity
- Never hardcode API keys in your application code
Pro Tip: Check out our Security Guide
for comprehensive best practices on API key management and secure integration.
Code Examples
PHP
<?php
$apiKey = getenv('PIXELSUITE_API_KEY');
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => 'https://api.pixelsuite.com.au/v1/client',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Authorization: Bearer ' . $apiKey
]
]);
$response = curl_exec($curl);
$data = json_decode($response, true);
curl_close($curl);
?>JavaScript (Node.js)
const apiKey = process.env.PIXELSUITE_API_KEY;
const response = await fetch('https://api.pixelsuite.com.au/v1/client', {
headers: {
'Authorization': `Bearer ${apiKey}`
}
});
const data = await response.json();Python
import os
import requests
api_key = os.getenv('PIXELSUITE_API_KEY')
response = requests.get(
'https://api.pixelsuite.com.au/v1/client',
headers={'Authorization': f'Bearer {api_key}'}
)
data = response.json()Next Steps
Now that you understand authentication, explore these related topics: