Skip to main content

Overview

API keys authenticate SDK requests to the S4Kit platform. They follow a Stripe-like model with granular permissions and rate limits.

Key Format

API keys have a recognizable format:
  • sk_ prefix identifies S4Kit keys
  • live_ or test_ indicates the environment
  • Random string ensures uniqueness

Creating API Keys

Via Dashboard

  1. Navigate to API Keys
  2. Click Create Key
  3. Configure the key:
FieldDescription
NameDescriptive name (e.g., “Backend Service”)
DescriptionOptional notes
InstancesWhich instances the key can access
PermissionsEntity-level permissions
Rate LimitsPer-minute and per-day limits
  1. Click Create
  2. Copy the key immediately—it won’t be shown again
The full API key is only displayed once. Store it securely.

Permissions

Permission Model

Each API key can have granular permissions:

Operations

OperationDescription
listQuery multiple entities
getRetrieve single entity
createCreate new entities
updateModify existing entities
deleteRemove entities

Example Configuration

Wildcard Permissions

Grant access to all entities in a service:

Rate Limits

Default Limits

LimitDefault
Per minute60 requests
Per day10,000 requests

Custom Limits

Set custom limits per API key:

Rate Limit Headers

The SDK receives rate limit information in headers:

Handling Rate Limits

Key Management

Viewing Keys

The dashboard shows:
  • Key name and description
  • Key prefix (e.g., sk_live_abc1...xyz9)
  • Last 4 characters
  • Created date
  • Last used date

Editing Keys

Update key settings without regenerating:
  1. Click on the key
  2. Modify permissions or rate limits
  3. Click Save

Revoking Keys

Immediately invalidate a key:
  1. Click on the key
  2. Click Revoke
  3. Confirm revocation
Revoking a key immediately stops all requests using that key. This cannot be undone.

Key Rotation

Safe Rotation Process

  1. Create a new key with the same permissions
  2. Deploy the new key to your application
  3. Monitor both keys for a transition period
  4. Revoke the old key once no longer in use

Zero-Downtime Rotation

Security Best Practices

Never Commit Keys

Use Environment Variables

Principle of Least Privilege

  • Only grant permissions the key needs
  • Use separate keys for different services
  • Prefer read-only keys when possible

Monitor Usage

  • Review API key logs regularly
  • Set up alerts for unusual activity
  • Revoke unused keys

Common Use Cases

Read-Only Analytics Key

For dashboards and reporting:

Backend Service Key

For application backends:

Development Key

For local development: