Authentication
Authenticate with the RevKeen API using API keys
The RevKeen API uses Bearer token authentication. Include your API key in theAuthorization header of every request.
Making Authenticated Requests
curl -X GET "https://api.revkeen.com/v1/customers" \
-H "Authorization: Bearer rk_live_your_api_key"API Key Formats
RevKeen provides two types of API keys for different environments:
| Key Type | Prefix | Environment | Use Case |
|---|---|---|---|
| Live Key | rk_live_ | Production | Real transactions, live customers |
| Test Key | rk_test_ | Sandbox | Development, testing, demos |
Never use live keys in development environments. Test keys are completely isolated and don't affect real data.
API Key Scopes
API keys can be restricted to specific scopes for enhanced security. This allows you to create limited-access keys for different services.
| Scope | Description |
|---|---|
customers:read | Read customer data |
customers:write | Create, update, delete customers |
products:read | Read product data |
products:write | Create, update, delete products |
subscriptions:read | Read subscription data |
subscriptions:write | Create, cancel, pause subscriptions |
invoices:read | Read invoice data |
invoices:write | Create, update, send invoices |
webhooks:read | Read webhook configurations |
webhooks:write | Create, update, delete webhooks |
checkout:write | Create checkout sessions |
payments:read | Read payment data |
payments:write | Process refunds |
finance:read | Read financial reports |
settings:read | Read account settings |
settings:write | Update account settings |
Create separate API keys with minimal scopes for each service or integration to limit potential damage if a key is compromised.
Security Best Practices
✓
Use environment variables
Store API keys in environment variables, not in code
✓
Rotate keys regularly
Create new keys periodically and revoke old ones
✓
Use minimal scopes
Only request the permissions your integration needs
✓
Monitor API usage
Review API logs in your dashboard for suspicious activity
✗
Never commit keys to version control
Use .gitignore to exclude .env files
✗
Never expose keys in client-side code
API keys should only be used server-side
Rate Limiting
The API enforces rate limits to ensure fair usage. Current limits:
| Plan | Requests/minute | Requests/day |
|---|---|---|
| Starter | 100 | 10,000 |
| Pro | 500 | 100,000 |
| Enterprise | 2,000 | Unlimited |
Rate limit headers are included in every response:
X-RateLimit-Limit,X-RateLimit-Remaining, and X-RateLimit-Reset.