Keys
Keys are the tokens your customers send. They carry no credits of their own — validation deducts from the consumer pool. /key/validate is the endpoint you call on every request.
/key/createBearerCreate key
Keys are authentication tokens only — they have no credits of their own. Every deduction goes to the consumer’s shared pool. Scope a key to specific APIs with allowedApis, or use ["*"] for all.
consumerIdstringrequiredConsumer this key belongs to.
allowedApisarrayAPI IDs this key can access, or ["*"] for all. Default ["*"].
prefixstringCustom key prefix (defaults to project name).
tagstringOptional tag.
metadataobjectCustom metadata.
statusstringKey status. Default "active".
curl -X POST "https://api.reqkey.com/key/create" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"consumerId": "cons_A1B2C3D4",
"allowedApis": [
"api_payment",
"api_analytics"
],
"prefix": "prod",
"tag": "production",
"metadata": {
"environment": "prod",
"version": "v2"
}
}'{
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2",
"keyId": "key_X1Y2Z3A4",
"createdAt": "2026-01-30T12:34:56Z",
"status": "active"
}- Key creation is blocked if the consumer’s status is "disabled" or "deleted".
- Keep the keyId — you’ll use it to update or reroll the key later.
/key/validateBearerValidate key
Call this from your own middleware on every incoming request. It confirms the key is real, active, in-scope for the API, and has credits — then deducts from the consumer’s shared pool and returns a requestId you can feed into /ingest.
keystringrequiredThe API key to validate.
apiIdstringAPI to check access against (enforced when the key has restricted allowedApis).
creditsnumberCredits to deduct. Default 1. Use 0 for a free check.
resourcestringResource identifier recorded for analytics.
- 1Key exists
- 2Key belongs to the authenticated project
- 3Key status is "active" (not disabled / pending / deleted)
- 4Consumer status is "active" (a disabled consumer blocks all its keys)
- 5Key has not expired
- 6If apiId is given and the key is scoped, the key can access that API
- 7Consumer has sufficient credits (skipped when the consumer is unlimited)
curl -X POST "https://api.reqkey.com/key/validate" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2",
"apiId": "api_payment",
"credits": 1,
"resource": "/api/v1/payments"
}'{
"valid": true,
"requestId": "abc123xyz",
"apiId": "api_payment",
"apiName": "PaymentAPI",
"createdAt": "2026-01-30T12:34:56Z",
"expiresAt": null,
"creditsRemaining": 9995,
"creditsLimit": 10000,
"allowedApis": [
"api_payment",
"api_analytics"
],
"resource": "/api/v1/payments"
}- Credits are deducted from the consumer’s shared pool, never the key.
- Non-integer credits are rounded down (2.5 → 2). credits: 0 skips deduction.
- creditsRemaining and creditsLimit are null for unlimited consumers.
- Pass the returned requestId to /ingest to attach full request/response logs.
/key/updateBearerUpdate key
Manages key-level properties only. For credit changes use /consumer/update.
keyIdstringrequiredKey ID to update (or pass key instead).
keystringThe API key value (alternative to keyId).
allowedApisarrayUpdated allowed API IDs, or ["*"] for all.
rerollKeybooleantrue regenerates the key value (old one dies immediately).
statusstringNew status ("active", "disabled", "pending").
tagstringNew tag.
metadataobjectUpdated metadata.
curl -X POST "https://api.reqkey.com/key/update" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"keyId": "key_X1Y2Z3A4",
"allowedApis": [
"api_payment",
"api_analytics",
"api_billing"
],
"status": "active",
"rerollKey": true
}'{
"key": "prod_N3W4K3Y5V6A7L8U9E0H1E2R3",
"status": "active"
}- rerollKey preserves keyId and all settings — only the key value changes, using the same prefix.
/key/detailsBearerGet key details
Fetch a key with its consumer’s credit state.
keyIdstringrequiredKey ID (or pass key instead).
keystringThe API key value (alternative to keyId).
curl -X POST "https://api.reqkey.com/key/details" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"keyId": "key_X1Y2Z3A4"
}'{
"keyId": "key_X1Y2Z3A4",
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2",
"consumerId": "cons_A1B2C3D4",
"allowedApis": [
"api_payment",
"api_analytics"
],
"status": "active",
"createdAt": "2026-01-30T12:34:56Z",
"updatedAt": "2026-01-30T14:00:00.000Z",
"credits": {
"limit": 10000,
"remaining": 9850,
"used": 150,
"shadowLimit": 1000,
"expiresAt": null,
"refill": {
"nextRefillAt": 1743465600000
}
},
"tag": "production",
"metadata": {
"environment": "prod"
}
}- The credits field is the consumer’s state (null if unlimited), not a per-key balance.
/key/deleteBearerDelete key
Soft or hard delete a key. Does not touch consumer credits.
keyIdstringrequiredKey ID (or pass key instead).
keystringThe API key value (alternative to keyId).
permanentbooleanfalse = soft delete (default), true = hard delete.
curl -X POST "https://api.reqkey.com/key/delete" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"keyId": "key_X1Y2Z3A4",
"permanent": false
}'{
"deleted": true,
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2"
}- Soft delete is recoverable for 7 days via consumer update. Deleting a key never frees or changes consumer credits.
/key/creditsBearerGet credits
Read the consumer’s current limit and remaining balance via a key.
keystringrequiredAPI key used to resolve the consumer.
curl -X POST "https://api.reqkey.com/key/credits" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2"
}'{
"limit": 10000,
"remaining": 9850
}- Both fields are null when the consumer is unlimited.
/key/rechargeBearerRecharge credits
Add credits to a consumer’s pool (identified by a key).
keystringrequiredAPI key used to resolve the consumer.
creditsnumberrequiredCredits to add (must be positive).
curl -X POST "https://api.reqkey.com/key/recharge" \
-H "Authorization: Bearer reqkey_xxx..." \
-H "Content-Type: application/json" \
-d '{
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2",
"credits": 5000
}'{
"success": true,
"key": "prod_A1B2C3D4E5F6G7H8I9J0K1L2",
"consumerId": "cons_A1B2C3D4",
"previousCredits": 10000,
"addedCredits": 5000,
"newTotalCredits": 15000,
"availableCredits": 14850,
"allocated": 0,
"message": "Credits updated instantly"
}- Recharge is additive and benefits every key under the consumer.
- Synced to every region immediately; if a sync is ever missed, it is reconciled within 1 second.