Authentication

ApiOne uses API key authentication. Every request must include your API key in the X-API-Key header. Keys are generated in the Dashboard, shown once at creation, and stored only as a SHA-256 hash — ApiOne cannot recover your plaintext key if you lose it.

Generating your API key

Log in to your Dashboard and navigate to API Keys → Generate new key. Give the key a descriptive name such as production-crm-enrichment. The key will be shown exactly once. Copy it immediately and store it in a secrets manager or environment variable — never in source code or a client-side application.

Using your API key in requests

Include the key in the X-API-Key header on every request:

curl -X POST https://apione.store/api/v1/companies/enrich \
  -H "X-API-Key: ak_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

Never include your API key in a URL query parameter or in client-side JavaScript. Both expose the key to server logs and browser history.

Key security

ApiOne applies the following protections to all API keys:

Protection	Detail
SHA-256 hashing	Your key is hashed using SHA-256 immediately on receipt. Only the hash is stored in the database. ApiOne cannot retrieve your plaintext key.
190-bit entropy	Keys are generated using a cryptographically secure random generator with 32 characters of nanoid entropy, providing approximately 190 bits of randomness.
TLS 1.3	All traffic between your application and ApiOne is encrypted using TLS 1.3 with AES-256-GCM.
No query logging	The domain, company name, email, or any other input you send is never written to persistent storage. ApiOne logs only the endpoint name, credits used, and HTTP status code.

Key rotation

To rotate your key, go to Dashboard → API Keys and click Regenerate. The old key is invalidated immediately. Update your application before rotating in production to avoid downtime.

Error responses

HTTP status	Code	Meaning
401	`invalid_api_key`	Key is missing, malformed, or does not match any active key
403	`insufficient_credits`	Your account has no remaining credits
429	`rate_limit_exceeded`	You have exceeded the request rate for your plan

See the full error handling reference for all error codes and recommended retry strategies.

FAQ

Can I have multiple API keys?

Yes. You can generate multiple keys from the Dashboard and assign each one a label. This is useful for separating production and development environments or for different integrations.

What happens if I lose my key?

ApiOne cannot recover a lost key because only the SHA-256 hash is stored. Generate a new key from the Dashboard and update your application.

Is my key stored in plaintext anywhere?

No. ApiOne stores only the SHA-256 hash of your key. The plaintext is shown once at creation and never retained on any server.

Can I restrict a key to specific endpoints?

Endpoint-level key scoping is on the roadmap. Currently, each key has access to all endpoints available on your plan.