> ## Documentation Index
> Fetch the complete documentation index at: https://docs.metriport.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Learn more about API key security best practices.

## Overview

On the [Metriport Developer Dashboard](https://dash.metriport.com/developers), we support generating API keys. You can have up to two API keys active at the same time, which lets you [rotate your keys](#rotating-your-api-keys) without any downtime.

For your security, read through this page to understand how to use them.

<Warning>
  If you believe any of your keys have been compromised, you
  can always revoke them on the Settings page by clicking
  the trash button beside the key. This will make the key
  inactive immediately, and you'll need to subsequently
  generate a new one.
</Warning>

## The API Key

The API Key will give you full access to the Metriport API. This key has the
ability to perform destructive operations, and as such, we recommend treating it with the same
care as your account password.

Generally, this key should only be used in your backend services, not shared with anyone,
and never exposed in plain text.

<Info>
  Include your API key in the `x-api-key` header for all API
  requests.
</Info>

<Warning>
  As you probably know, don't commit this key in plain text
  to your repositories either - even if your repos are
  private.
</Warning>

## Rotating your API keys

You can have up to two API keys active at the same time. Both keys have full access to the API and
can be used interchangeably, so you can rotate your keys with zero downtime - generate a new key and
roll it out across your services before revoking the old one, so your requests never fail mid-rotation.

We recommend rotating your keys periodically, and immediately if you believe one has been compromised.

To rotate your keys on the [Developer Dashboard](https://dash.metriport.com/developers):

1. **Generate a second key.** On the Settings page, generate a second API key. Both keys are now
   active and can be used interchangeably.
2. **Roll out the new key.** Update your backend services to send the new key in the `x-api-key`
   header, then deploy and confirm all traffic is using the new key.
3. **Revoke the old key.** Once no services are using the old key, revoke it on the Settings page by
   clicking the trash button beside it. It becomes inactive immediately.
