Overview
API keys authenticate SDK requests to the S4Kit platform. They follow a Stripe-like model with granular permissions and rate limits.
API keys have a recognizable format:
sk_ prefix identifies S4Kit keys
live_ or test_ indicates the environment
- Random string ensures uniqueness
Creating API Keys
Via Dashboard
- Navigate to API Keys
- Click Create Key
- Configure the key:
| Field | Description |
|---|
| Name | Descriptive name (e.g., “Backend Service”) |
| Description | Optional notes |
| Instances | Which instances the key can access |
| Permissions | Entity-level permissions |
| Rate Limits | Per-minute and per-day limits |
- Click Create
- Copy the key immediately—it won’t be shown again
The full API key is only displayed once. Store it securely.
Permissions
Permission Model
Each API key can have granular permissions:
Operations
| Operation | Description |
|---|
| list | Query multiple entities |
| get | Retrieve single entity |
| create | Create new entities |
| update | Modify existing entities |
| delete | Remove entities |
Example Configuration
Wildcard Permissions
Grant access to all entities in a service:
Rate Limits
Default Limits
| Limit | Default |
|---|
| Per minute | 60 requests |
| Per day | 10,000 requests |
Custom Limits
Set custom limits per API key:
The SDK receives rate limit information in headers:
Handling Rate Limits
Key Management
Viewing Keys
The dashboard shows:
- Key name and description
- Key prefix (e.g.,
sk_live_abc1...xyz9)
- Last 4 characters
- Created date
- Last used date
Editing Keys
Update key settings without regenerating:
- Click on the key
- Modify permissions or rate limits
- Click Save
Revoking Keys
Immediately invalidate a key:
- Click on the key
- Click Revoke
- Confirm revocation
Revoking a key immediately stops all requests using that key. This cannot be undone.
Key Rotation
Safe Rotation Process
- Create a new key with the same permissions
- Deploy the new key to your application
- Monitor both keys for a transition period
- Revoke the old key once no longer in use
Zero-Downtime Rotation
Security Best Practices
Never Commit Keys
Use Environment Variables
Principle of Least Privilege
- Only grant permissions the key needs
- Use separate keys for different services
- Prefer read-only keys when possible
Monitor Usage
- Review API key logs regularly
- Set up alerts for unusual activity
- Revoke unused keys
Common Use Cases
Read-Only Analytics Key
For dashboards and reporting:
Backend Service Key
For application backends:
Development Key
For local development: