API Keys
Generate and manage API keys to authenticate your requests to the FetchPrompt REST API.
API Keys
API keys authenticate your application's requests to the FetchPrompt REST API. Each key is scoped to a specific environment (Stage or Production), which determines which prompts are returned.
Key format
API keys follow a prefixed format that indicates the environment:
| Environment | Prefix | Example |
|---|---|---|
| Stage | fp_stage_ | fp_stage_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 |
| Production | fp_prod_ | fp_prod_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 |
Keys are 49 characters total: a 9-character prefix (fp_stage_ or fp_prod_) followed by 40 random characters.
Creating an API key
- Navigate to the API Keys page from the sidebar.
- Click Create API Key.
- Enter a name for the key (e.g., "Production Server", "Local Development").
- Select the environment — Stage or Production.
- Click Create.
The full API key is displayed once immediately after creation. Copy it and store it securely. You will not be able to see the full key again. A usage hint is also shown with the Authorization header format so you can start using it right away.
After creation, the API Keys table shows:
- Key name
- Key prefix (first 14 characters +
...) for identification - Environment (Stage or Production)
- Created by (team member email)
- Created at timestamp
- Last used timestamp
Using an API key
Include the API key in the Authorization header as a Bearer token:
curl -H "Authorization: Bearer fp_prod_your_key_here" \
https://www.fetchprompt.com/api/v1/prompts/my-promptconst response = await fetch(
"https://www.fetchprompt.com/api/v1/prompts/my-prompt",
{
headers: {
Authorization: `Bearer ${process.env.FETCHPROMPT_API_KEY}`,
},
}
);The API key determines:
- Which organization's prompts are returned
- Which environment's prompts are returned (Stage or Production)
Security
FetchPrompt takes API key security seriously:
- Keys are never stored in plaintext. Only a SHA-256 hash of the key is persisted in the database.
- Keys are shown once. After creation, only the prefix (e.g.,
fp_prod_a1b2c3d4e5...) is visible for identification. - Keys can be revoked instantly. Revoked keys are rejected on the next API call.
Best practices
- Use environment variables — Never hardcode API keys in source code. Store them in
.envfiles or your deployment platform's secret management. - Use separate keys per deployment — Create different keys for development, staging, CI/CD, and production.
- Rotate keys periodically — Create a new key, update your application, then revoke the old key.
- Revoke compromised keys immediately — If a key is accidentally exposed, revoke it from the dashboard right away.
Revoking an API key
To revoke a key:
- Go to the API Keys page.
- Find the key in the table.
- Click the Revoke action.
- Confirm the revocation.
Revocation is a soft delete — the key record is kept for audit purposes with a revoked_at timestamp, but it will no longer authenticate API requests. Any API calls using a revoked key will receive a 401 Unauthorized response.
Usage monitoring
The API Keys page includes a usage tab that shows:
- API calls this month — current monthly usage count
- Monthly limit — your organization's monthly API call limit (30,000 on the free tier)
- Remaining calls — how many calls are left this month
Usage resets every 30 days from when your organization was created. Rate limiting is applied per organization (not per API key), so all keys in an organization share the same monthly quota.
See Rate Limits & Caching for more details.