Authentication
Learn how to authenticate API requests using API keys and manage them securely.
Overview
The Screenshot API uses API key authentication. All requests must include an API key in the Authorization header using the Bearer token scheme.
Authentication Format
Include your API key in every request:
Authorization: Bearer YOUR_API_KEYComplete example with cURL:
curl -X POST https://snappkit.com/api/screenshot \
-H"Authorization: Bearer sk_live_abc123..." \
-H"Content-Type: application/json" \
-d'{"url":"https://example.com"}'API Key Format
API keys follow this format:
sk_live_<40-character-hex-string>Example:
sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0Key Components
- sk_live: Prefix indicating a live (production) API key
- 40 hex characters: Cryptographically secure random identifier (160-bit entropy)
Managing API Keys
Creating a New Key
- Navigate to yourAPI Keys page
- Click"Generate New Key"
- Enter a descriptive name (e.g.,"Production Server","Mobile App")
- Click"Create"
- Copy your key immediately - it will only be shown once
Important
Viewing Your Keys
On the API Keys page, you can see all your keys with their:
- Name/label
- Masked key value (e.g.,
sk_live_...s9t0) - Last used timestamp
- Active/inactive status
Rotating Keys
For security, we recommend rotating your API keys periodically (every 90 days):
- Generate a new API key
- Update your application to use the new key
- Test that the new key works
- Revoke or delete the old key
Revoking a Key
To revoke a key (make it inactive without deleting):
- Go to the API Keys page
- Click"Revoke" on the key you want to disable
- Confirm the action
Revoked keys remain in your account history for audit purposes but cannot be used to make API requests.
Deleting a Key
To permanently delete a key:
- Go to the API Keys page
- Click"Delete" on the key you want to remove
- Confirm the action
Warning
API Key Management - Code Examples
Use these code examples to programmatically manage your API keys. All key management endpoints require authentication using your Clerk session.
List All API Keys
Retrieve all API keys for the authenticated user.
curl https://snappkit.com/api/keys \
-H"Authorization: Bearer YOUR_CLERK_TOKEN" \
-H"Content-Type: application/json"Example Response
{
"keys": [
{
"id":"key_abc123",
"name":"Production Server",
"key":"sk_live_...s9t0",
"lastUsed": 1704067200000,
"isActive": true,
"createdAt": 1701475200000
},
{
"id":"key_def456",
"name":"Development",
"key":"sk_live_...x1y2",
"lastUsed": null,
"isActive": true,
"createdAt": 1703664000000
}
]
}Create New API Key
Generate a new API key with a descriptive name.
curl -X POST https://snappkit.com/api/keys \
-H"Authorization: Bearer YOUR_CLERK_TOKEN" \
-H"Content-Type: application/json" \
-d'{"name":"Production Server"}'Example Response
{
"id":"key_abc123",
"name":"Production Server",
"key":"sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0",
"createdAt": 1704067200000,
"isActive": true
}Save Your Key
Revoke API Key
Deactivate an API key without permanently deleting it.
curl -X PATCH https://snappkit.com/api/keys/key_abc123 \
-H"Authorization: Bearer YOUR_CLERK_TOKEN" \
-H"Content-Type: application/json" \
-d'{"isActive": false}'Example Response
{
"success": true,
"message":"API key revoked successfully"
}Delete API Key
Permanently delete an API key from your account.
curl -X DELETE https://snappkit.com/api/keys/key_abc123 \
-H"Authorization: Bearer YOUR_CLERK_TOKEN" \
-H"Content-Type: application/json"Example Response
{
"success": true,
"message":"API key deleted permanently"
}Permanent Action
Error Handling Example
Always handle errors gracefully when managing API keys.
async function createApiKey(name) {
try {
const response = await fetch('https://snappkit.com/api/keys', {
method:'POST',
headers: {
'Authorization':'Bearer YOUR_CLERK_TOKEN',
'Content-Type':'application/json'
},
body: JSON.stringify({ name })
});
if (!response.ok) {
const error = await response.json();
throw new Error(error.message ||'Failed to create API key');
}
const data = await response.json();
return data.key;
} catch (error) {
console.error('API Key creation failed:', error.message);
throw error;
}
}
// Usage
const apiKey = await createApiKey('Production Server');
console.log('Created key:', apiKey);Authentication Note
Security Best Practices
1. Use Environment Variables
Never hardcode API keys in your source code:
SCREENSHOT_API_KEY=sk_live_abc123...const apiKey = process.env.SCREENSHOT_API_KEY;2. Don't Commit Keys to Git
Add your environment file to .gitignore:
.env
.env.local
.env.production3. Use Server-Side APIs Only
Never expose API keys in client-side JavaScript, mobile apps, or public repositories. Always make API calls from your backend server.
4. Monitor Key Usage
Regularly check the"last used" timestamp on your API keys. If you see unexpected activity, revoke the key immediately and investigate.
5. Use Multiple Keys
Create separate keys for different environments (development, staging, production) to limit blast radius if a key is compromised.
6. Rotate Periodically
Set a calendar reminder to rotate your production keys every 90 days as a proactive security measure.
Common Authentication Errors
401 UnauthorizedYour API key is missing, invalid, or has been revoked.
402 Payment RequiredYour account has insufficient credits. Purchase more credits to continue using the API.
For a complete list of error codes, see theError Handling documentation.
Testing Authentication
Test your API key with a simple request:
curl -X POST https://snappkit.com/api/screenshot \
-H"Authorization: Bearer YOUR_API_KEY" \
-H"Content-Type: application/json" \
-d'{"url":"https://example.com"}' \
-w"\nHTTP Status: %{http_code}\n"If authentication succeeds, you'll receive a 200 status code and a screenshot. If it fails, you'll get a 401 error with details.