Back to Docs
API Keys

API Key Management

Learn how to create, manage, and secure your AffirmID API keys.

Key Types

Live Keys
affirmid_live_xxxxxxxxxxxxxxxx

Use in production environments. Requests count against your quota and affect real users.

Test Keys
affirmid_test_xxxxxxxxxxxxxxxx

Use in development and staging. Requests are free and use simulated responses.

Creating API Keys

  1. 1

    Navigate to API Keys

    Go to your dashboard and click Settings → API Keys.

  2. 2

    Click "Create New Key"

    Choose between a Live or Test key based on your needs.

  3. 3

    Configure key settings

    Add a descriptive name, optional expiration date, and IP allowlist.

  4. 4

    Copy and store securely

    The full key is only shown once. Store it in a secure location immediately.

Using API Keys

HTTP Header Authentication

Include your API key in the X-API-Key header:

curl -X POST https://api.affirmid.com/v1/auth/create \
  -H "X-API-Key: affirmid_live_xxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"userId": "user_123", "application": "My App"}'

SDK Initialization

Pass your API key when initializing the SDK:

import { AffirmID } from '@affirmid/node';

const affirmid = new AffirmID({
  apiKey: process.env.AFFIRMID_API_KEY,
  // Optional: use test mode
  testMode: process.env.NODE_ENV !== 'production'
});

Security Best Practices

Never expose in client code

API keys should only be used server-side. Never include them in frontend JavaScript, mobile apps, or public repositories.

Rotate keys regularly

Create new keys and deprecate old ones periodically. We recommend rotating production keys every 90 days.

Use environment variables

Store keys in environment variables or secret management systems, never in code or config files.

Set expiration dates

Optionally set keys to expire automatically. Expired keys will return 401 errors.

If Your Key Is Compromised

If you suspect your API key has been exposed, take immediate action:

  1. 1. Go to your dashboard and revoke the compromised key immediately
  2. 2. Create a new API key and update your applications
  3. 3. Review your authentication logs for unauthorized activity
  4. 4. Contact support if you notice suspicious requests

Managing Existing Keys

ActionDescription
View DetailsSee key metadata, usage statistics, and last used timestamp.
Rotate KeyGenerate a new key while keeping the old one active for a grace period.
Revoke KeyPermanently disable a key. This action cannot be undone.