Documentation

Authentication

Every protected endpoint requires an API key sent via a request header.

API Key Header

Include the X-API-Key header in every request that requires authentication. Replace YOUR_API_KEY with the key from your dashboard.

request.shbash

curl https://your-domain.com/api/v1/files \
  -H "X-API-Key: YOUR_API_KEY"

request.pypython

import requests

headers = {"X-API-Key": "YOUR_API_KEY"}
response = requests.get("https://your-domain.com/api/v1/files", headers=headers)
print(response.json())

request.jsjavascript

const response = await fetch("https://your-domain.com/api/v1/files", {
  headers: { "X-API-Key": "YOUR_API_KEY" },
});
const data = await response.json();
console.log(data);

Public Endpoints

The following endpoints do not require authentication:

Method	Path	Description
POST	/api/v1/users/register	Create a new account
POST	/api/v1/users/renew/challenge	Request key renewal code
POST	/api/v1/users/renew	Complete key renewal

Authentication Error Responses

If authentication fails the server responds with one of the following:

Status	Reason
401	No X-API-Key header provided
401	API key does not match any registered user
403	Account is suspended or the key has been invalidated

Security Best Practices

Follow these guidelines to keep your API key safe.

Never hardcode your key
Store it in environment variables (e.g. NEXT_PUBLIC_API_KEY in .env.local) or a secrets manager.
Never commit it to source control
Add .env* to your .gitignore file. Treat the key with the same care as a database password.
Rotate periodically
Use the renewal flow in the dashboard to generate a new key. The old key is invalidated immediately.
Use HTTPS only
Always make API calls over HTTPS. Plain HTTP requests can expose your key to network observers.
Do not share your key
Each team member should have their own account and API key for auditability.

Leaked Key?

If you suspect your API key has been compromised, renew it immediately from the dashboard. All in-flight requests using the old key will receive a 401 response.

Environment Variable Example

.env.localbash

# .env.local — never commit this file
IPFS_API_KEY=your_api_key_here

api-client.tsjavascript

// Read from environment at build time (server components)
const API_KEY = process.env.IPFS_API_KEY ?? "";

// Or at runtime for client components (prefix NEXT_PUBLIC_)
const API_KEY = process.env.NEXT_PUBLIC_IPFS_API_KEY ?? "";

API Key Header

Include the X-API-Key header in every request that requires authentication. Replace YOUR_API_KEY with the key from your dashboard.

request.shbash

curl https://your-domain.com/api/v1/files \
  -H "X-API-Key: YOUR_API_KEY"

request.pypython

import requests

headers = {"X-API-Key": "YOUR_API_KEY"}
response = requests.get("https://your-domain.com/api/v1/files", headers=headers)
print(response.json())

request.jsjavascript

const response = await fetch("https://your-domain.com/api/v1/files", {
  headers: { "X-API-Key": "YOUR_API_KEY" },
});
const data = await response.json();
console.log(data);

Public Endpoints

The following endpoints do not require authentication:

Method

Path

Description

POST

/api/v1/users/register

Create a new account

POST

/api/v1/users/renew/challenge

Request key renewal code

POST

/api/v1/users/renew

Complete key renewal

Authentication Error Responses

If authentication fails the server responds with one of the following:

Status

Reason

401

No X-API-Key header provided

401

API key does not match any registered user

403

Account is suspended or the key has been invalidated

Security Best Practices

Follow these guidelines to keep your API key safe.

Never hardcode your key

Store it in environment variables (e.g. NEXT_PUBLIC_API_KEY in .env.local) or a secrets manager.

Never commit it to source control

Add .env* to your .gitignore file. Treat the key with the same care as a database password.

Rotate periodically

Use the renewal flow in the dashboard to generate a new key. The old key is invalidated immediately.

Use HTTPS only

Always make API calls over HTTPS. Plain HTTP requests can expose your key to network observers.

Do not share your key

Each team member should have their own account and API key for auditability.

Leaked Key?

If you suspect your API key has been compromised, renew it immediately from the dashboard. All in-flight requests using the old key will receive a 401 response.

Environment Variable Example

.env.localbash

# .env.local — never commit this file
IPFS_API_KEY=your_api_key_here

api-client.tsjavascript

// Read from environment at build time (server components)
const API_KEY = process.env.IPFS_API_KEY ?? "";

// Or at runtime for client components (prefix NEXT_PUBLIC_)
const API_KEY = process.env.NEXT_PUBLIC_IPFS_API_KEY ?? "";