API Keys / Key Rotation

How to find your API key, reset a compromised API key, and use external API keys

How to find your API key

To connect an API to a project or application, you must have an API key to authenticate your request. Creating an app within RapidAPI generates an API key (X-RapidAPI-Key) specific to that application. You can view analytics based on the API calls you make using this app key.

👍

PRO-TIP: If you generate a code snippet within the browser, your app key will automatically appear in the generated code. You can also find the API key on the Security page of your application on the Developer Dashboard.

Here is an example of using an API key with the Unirest Node.js library.

unirest.post({{API-URL}})
.header("X-RapidAPI-Key", {{API-KEY}})

🚧

You must have an application on the RapidAPI Developer Dashboard to access an API key. By default, an application will be created when you sign up. If you delete the application you must re-create at least one application.

Different API keys for multiple applications or separate analytics

Do you have multiple projects you're working on at once? You can add a new app for each project, which will generate a new API key as well! This means that each app will be more secure as it uses a different API key and you'll also be able to see separate analytics for each app.

🚧

App-specific API keys vs. account-wide subscriptions

If you opt to have multiple projects under a single RapidAPI account, keep in mind that pricing is based on account-wide usage. This means that if you're using the same API on two different projects, your billing/overage fees will be calculated using the usage of both apps.

API key rotation or resetting a compromised API key

RapidAPI also supports API key rotation for security purposes. You can also use API key rotation to reset a compromised or inadvertently exposed API key without losing the application's analytics. You can create a new API key and delete the compromised one in a few steps from the Developer Dashboard:

  1. Select the application with the compromised key and navigate to the Security page.

  2. Click "Add New Key." You can also edit the API Key name if desired.

2830
  1. Now it is time to test the new API key. Go to the API's Endpoints tab on the RapidAPI Hub listing and select the new API key from the X-RapidAPI-Key dropdown. Click the "Test Endpoint" button to ensure the new API key is working properly.

  2. Update your project with the new API key.

  3. Return to the application's Security page and delete the compromised API key.

External API keys & access tokens

Some APIs may require an API key or access token directly from their website to authenticate an account with the provider when making a request. Below is an example of Slack's createChannel endpoint, which requires an authentication token that is related to your Slack workspace.

2904

Every API is different, but in most cases, you must visit the API provider's website to retrieve this token or key. There are instructions within the API's About page detailing how to get this token or key.

2902

Passing an API key via a query parameter

RapidAPI supports passing the API key via a query parameter. You can do this by including the following syntax in the link:

https://example.p.rapidapi.com/?rapidapi-key=***************************

🚧

Please keep in mind that your RapidAPI key is used across your entire account. Be careful about exposing your key if the link is publicly accessible.


What’s Next