API keys
API keys authenticate your platform's server to ChronaPilot. They are long-lived bearer tokens you keep secret on your backend.
Key prefixes
| Prefix | Meaning |
|---|---|
| pk_live_ | Publishable, live mode — safe in client code, read-only. |
| pk_test_ | Publishable, sandbox — safe in client code. |
| sk_live_ | Secret, live mode — full API access. |
| sk_test_ | Secret, sandbox — full API access against test data. |
| rk_live_ | Restricted, live mode — limited scopes (see below). |
The character following the prefix encodes the issuing region, so leaked keys can be traced back to a key generation event in the audit log.
Restricted keys
Restricted keys (rk_…) carry a custom scope set instead of full account access. Use them for internal services that only need a narrow surface — for example, a service that only needs to read events and never write them.
In the dashboard, you can scope a restricted key to:
- Specific resources (events, connections, webhooks)
- Read-only or read/write per resource
- Specific IP allowlist
- Per-key rate limits
Storage and rotation
- Never commit keys to source control. Use a secrets manager (Vault, AWS Secrets Manager, Azure Key Vault).
- Rotate quarterly at minimum. Rotation invalidates the old key immediately.
- Set up alerts on the last_used field — a key that hasn't been seen in 30 days is a candidate for retirement.
Webhooks
API keys are also where you discover your webhook signing secret. Each registered webhook endpoint has its own secret used to compute the Chronapilot-Signature header — see Webhooks.
Programmatic management
The dashboard is the source of truth, but every action is also available via the API:
curl https://api.chronapilot.com/v1/api_keys \ -H "Authorization: Bearer sk_live_…"
This requires an sk_live_ key with the apikeys:manage scope and is rate-limited to 10 req/min.