Authentication
Authenticate with the RevKeen API using API keys and Bearer tokens
The RevKeen API uses API keys to authenticate requests. Include your API key in the x-revkeen-key header (or Authorization: Bearer header) of every request.
RevKeen uses Unkey under the hood to issue, manage, and rate-limit these keys.
Making Authenticated Requests
All requests to the RevKeen API must include an API key:
x-revkeen-key: rk_live_your_api_keyIf the header is missing or invalid, the API responds with:
401 Unauthorized- An
authentication_errorbody as defined in the Error schema
Example with cURL
curl https://api.revkeen.com/v2/customers \
-H "x-revkeen-key: rk_live_123..." \
-H "Content-Type: application/json"Example with the TypeScript SDK
import RevKeen from '@revkeen/sdk';
const client = new RevKeen({
apiKey: process.env.REVKEEN_API_KEY,
});
const customers = await client.customers.list();Example with the Python SDK
from revkeen import RevKeen
import os
client = RevKeen(api_key=os.environ["REVKEEN_API_KEY"])
customers = client.customers.list()API Key Formats
API keys are generated from the RevKeen Dashboard > Developers > API Keys page.
Each key has:
- A prefix indicating the environment
- A random secret (the sensitive part)
- Associated metadata (tenant, rate plan, roles) managed by Unkey
| Key Type | Prefix | Environment | Use Case |
|---|---|---|---|
| Live Key | rk_live_ | Production | Real transactions, live customers |
| Sandbox Key | rk_sandbox_ | Sandbox | Development, testing, demos |
Never expose rk_live_ keys in client-side code, mobile apps, or public repos.
API Key Scopes
API keys can be restricted to specific scopes for enhanced security. This allows you to create limited-access keys for different services.
| Scope | Description |
|---|---|
customers:read | Read customer data |
customers:write | Create, update, delete customers |
products:read | Read product data |
products:write | Create, update, delete products |
subscriptions:read | Read subscription data |
subscriptions:write | Create, cancel, pause subscriptions |
invoices:read | Read invoice data |
invoices:write | Create, update, send invoices |
webhooks:read | Read webhook configurations |
webhooks:write | Create, update, delete webhooks |
checkout:write | Create checkout sessions |
payments:read | Read payment data |
payments:write | Process refunds |
finance:read | Read financial reports |
settings:read | Read account settings |
settings:write | Update account settings |
Create separate API keys with minimal scopes for each service or integration to limit potential damage if a key is compromised.
Security Best Practices
- Use environment variables -- Store API keys in environment variables, not in code
- Rotate keys regularly -- Create new keys periodically and revoke old ones
- Use minimal scopes -- Only request the permissions your integration needs
- Monitor API usage -- Review API logs in your dashboard for suspicious activity
- Never commit keys to version control -- Use
.gitignoreto exclude.envfiles - Never expose keys in client-side code -- API keys should only be used server-side
Rate Limiting
The API enforces rate limits to ensure fair usage. Rate limiting is enforced per API key via Unkey.
| Plan | Requests / minute | Burst |
|---|---|---|
| Starter | 60 | 10 |
| Growth | 600 | 50 |
| Enterprise | 6000 | 200 |
Each response includes rate limit headers:
X-RateLimit-Limit-- Maximum requests allowedX-RateLimit-Remaining-- Requests remaining in the current windowX-RateLimit-Reset-- Unix timestamp when the limit resets
When a limit is exceeded, the API returns 429 Too Many Requests with a rate_limit_error body.
Rate limit headers are included in every response. Monitor X-RateLimit-Remaining to avoid hitting limits.