API Keys
API keys authenticate the Skrypt CLI and REST API against your project. Each key is scoped to a single project and can be used in CI/CD pipelines, scripts, or direct API calls.
Creating a key
Open your project in the dashboard, then go to Settings > API Keys. Click Create API Key and enter a descriptive name (for example, "CI deploy" or "Local dev").
The key is displayed once after creation. Copy it immediately. The full key is never stored or shown again.
Key format
Keys follow this format:
sk_live_<48 hex characters>
For example:
sk_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6
Only the prefix (sk_live_xxxx) is stored for identification. The full key is hashed with SHA-256 before it reaches the database.
Using with the CLI
The simplest way to authenticate is the interactive login:
skrypt login
For non-interactive environments like CI, set the environment variable:
export SKRYPT_API_KEY=sk_live_...
skrypt deploy
Or pass the token directly:
skrypt deploy --token sk_live_...
Using with the API
Include the key in the Authorization header as a Bearer token:
curl -H "Authorization: Bearer sk_live_..." \
https://app.skrypt.sh/api/projects/my-project/analytics?range=7d
All API endpoints require a valid key scoped to the requested project. Requests with an invalid or revoked key return 401 Unauthorized.
Key security
Skrypt follows these security practices for API keys:
| Property | Details |
|---|---|
| Storage | SHA-256 hash only, plaintext never persisted |
| Prefix | First 12 characters stored for display (sk_live_xxxx) |
| Shown once | Full key returned only at creation time |
| Rate limited | Key creation and deletion are rate-limited per user |
| Scoped | Each key belongs to one project |
Treat API keys like passwords. Do not commit them to version control. Use environment variables or a secrets manager in CI/CD.
Revoking a key
Go to Settings > API Keys in the dashboard. Find the key by its name or prefix, then click Revoke. The key is deleted immediately and all requests using it will fail.
Revoking a key cannot be undone. Create a new key if you need to restore access.
Listing keys
The API keys page shows all active keys for a project with their name, prefix, creation date, and last used timestamp. The full key value is never shown after creation.
What's next
- Getting Started, set up your first hosted docs project
- Deploy Guide, use API keys in CI/CD for automated deployments
- Plans and Billing, check your plan limits and usage