DriftGuard uses API keys to authenticate all requests. Every API call (except GET /api/v1/health)
must include your key in the X-API-Key header.
All DriftGuard API keys follow this format:
dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dg_test_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dg_(live|test)_<24+ characters> — meaning the total key
length must be 32 characters minimum. Any key that doesn’t match this pattern
will be rejected with a 401 before even reaching the auth check.
- Never commit your API key to git or share it in public forums
- Keys are stored as SHA-256 hashes on our servers — we cannot recover a lost key for you
- If you believe your key is compromised, revoke it immediately from your dashboard and create a new one
- We will never ask for your API key via email or support chat
Using Your API Key
Include your key in the X-API-Key header on every request:
curl https://api.driftguard.dev/api/v1/usage \
-H "X-API-Key: dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
The correct header name is X-API-Key. Do not use Authorization: Bearer —
that format is not supported and will return a 401.
Key Types
| Prefix | Environment | Behaviour |
|---|
dg_live_ | Production | Credits are deducted per check |
dg_test_ | Development | For local development and CI dry-runs |
dg_test_ keys for development and CI pipelines where you don’t want to consume
production credits. Switch to dg_live_ only when running checks in production.
Key Lifecycle
Keys are managed entirely from your dashboard.
Here’s what happens at each stage:
| Stage | What it means |
|---|
| Created | Full key shown once — copy it immediately, it cannot be retrieved again |
| Active | Key is valid and can authenticate requests |
| Revoked | Key is deactivated — requests will return 401. Can be reactivated. |
| Deleted | Key is permanently removed. Must be revoked before it can be deleted. |
Your key is shown in full only once at creation time. After that, only
the first 16 characters (the preview) are visible. Store your key in a
secrets manager or environment variable immediately.
Rate Limits
| Limit | Value |
|---|
| Requests per minute (per key) | 100 req/min |
| New keys per hour (per user) | 10 keys/hour |
429 Too Many Requests.
Wait for the next minute window and retry.
Managing Keys via API
You can also create and manage keys programmatically via the /api/v1/keys endpoints.
List your keys (previews only — full key is never returned after creation):
curl https://api.driftguard.dev/api/v1/keys \
-H "X-API-Key: dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
curl -s -X POST https://api.driftguard.dev/api/v1/keys \
-H "X-API-Key: dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{ "environment": "live" }'
{
"id": "key_id_here",
"key": "dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"environment": "live",
"is_active": true,
"created_at": "2026-03-01T12:00:00Z"
}
Copy the key value from this response immediately — it will not be shown again.
curl -s -X POST https://api.driftguard.dev/api/v1/keys/{id}/revoke \
-H "X-API-Key: dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
curl -s -X POST https://api.driftguard.dev/api/v1/keys/{id}/activate \
-H "X-API-Key: dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
curl -s -X DELETE https://api.driftguard.dev/api/v1/keys/{id} \
-H "X-API-Key: dg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Error Codes
| Status | Meaning |
|---|
401 | Missing key, invalid key format, or key not found |
403 | Key is valid but account has no credits remaining |
429 | Rate limit exceeded — 100 req/min per key |
Best Practices
- Store keys in environment variables or a secrets manager (AWS Secrets Manager, GitHub Secrets, etc.) — never hardcode them
- Use
dg_test_ keys in all non-production environments
- Create separate keys per service or pipeline so you can revoke individual integrations without disrupting others
- Rotate keys periodically — revoke the old one and create a new one from the dashboard
