Authentication
All API requests must be authenticated with an API key passed in the X-API-Key header.
API Key Format
API keys use a prefixed format to distinguish environments:
| Prefix | Environment |
|---|---|
pk_live_ | Production |
pk_test_ | Testing / sandbox |
Test keys behave identically to production keys but operate against sandbox data.
Sending Authenticated Requests
Include your API key in the X-API-Key header with every request:
curl https://api.pii-redactor.dev/api/v1/redact \
-H "X-API-Key: pk_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{"text": "My SSN is 123-45-6789"}'Creating API Keys
You can create keys via the dashboard or programmatically through the API Keys endpoint:
curl -X POST https://api.pii-redactor.dev/api/v1/api-keys \
-H "X-API-Key: pk_live_your_existing_key" \
-H "Content-Type: application/json" \
-d '{"name": "CI/CD Pipeline Key"}'The full key is returned only once in the creation response. Store it securely.
Key Scoping
Each API key is scoped to a single tenant. Requests made with a key automatically operate within that tenant’s data. You can override this with the ?tenant_id= query parameter if your key has cross-tenant permissions.
Security Best Practices
- Store keys in environment variables or a secrets manager, never in source code.
- Use
pk_test_keys during development and CI. - Rotate keys periodically via the dashboard or API.
- Revoke compromised keys immediately with
DELETE /api-keys/{key_id}.
Error Responses
| Status | Meaning |
|---|---|
| 401 | Missing or invalid API key |
| 403 | Key does not have permission for the requested resource |
{
"detail": "Invalid or expired API key"
}