Skip to main content

Overview

On the Metriport Developer Dashboard, we support generating API keys. You can have up to two API keys active at the same time, which lets you rotate your keys without any downtime. For your security, read through this page to understand how to use them.
If you believe any of your keys have been compromised, you can always revoke them on the Settings page by clicking the trash button beside the key. This will make the key inactive immediately, and you’ll need to subsequently generate a new one.

The API Key

The API Key will give you full access to the Metriport API. This key has the ability to perform destructive operations, and as such, we recommend treating it with the same care as your account password. Generally, this key should only be used in your backend services, not shared with anyone, and never exposed in plain text.
Include your API key in the x-api-key header for all API requests.
As you probably know, don’t commit this key in plain text to your repositories either - even if your repos are private.

Rotating your API keys

You can have up to two API keys active at the same time. Both keys have full access to the API and can be used interchangeably, so you can rotate your keys with zero downtime - generate a new key and roll it out across your services before revoking the old one, so your requests never fail mid-rotation. We recommend rotating your keys periodically, and immediately if you believe one has been compromised. To rotate your keys on the Developer Dashboard:
  1. Generate a second key. On the Settings page, generate a second API key. Both keys are now active and can be used interchangeably.
  2. Roll out the new key. Update your backend services to send the new key in the x-api-key header, then deploy and confirm all traffic is using the new key.
  3. Revoke the old key. Once no services are using the old key, revoke it on the Settings page by clicking the trash button beside it. It becomes inactive immediately.