Authentication
How to authenticate API requests with your API Key.
Every POST /screenshot request must include a valid API Key. Authentication happens before any Render work starts.
Header format
Send your key in the Authorization header as a Bearer token:
Authorization: Bearer shot_yourkey_hereMissing or malformed headers return 401 with one of:
| Code | Meaning |
|---|---|
missing_api_key | No Authorization header |
invalid_api_key | Key not recognized (wrong value or typo) |
revoked_api_key | Key was revoked from the dashboard |
Key format and prefix
API Keys use the shot_ prefix (placeholder until product naming is finalised). The full plaintext is shown once at creation; after that the dashboard displays a masked form:
shot_••••••••AbCdThe visible prefix and last four characters help you identify keys in logs without exposing the secret.
Keys are stored as SHA-256 hashes — we never persist the plaintext server-side after the creation response.
Key management
Manage keys from the API keys dashboard:
- Create — give the key a label (1–64 characters). The plaintext appears in a one-time modal with a Copy button.
- Revoke — permanent. Code using a revoked key receives
401 revoked_api_keywithin about 60 seconds (keys are cached in Redis with a 60s TTL).
Each key belongs to one Account and inherits that Account's Plan (Free, Starter, or Pro) for rate limits and Quota.
Security practices
- Store keys in environment variables or a secrets manager — never commit them to git.
- Rotate keys by creating a new one, deploying the new value, then revoking the old key.
- Treat each key as full-access. Scoped or read-only keys are not available in the current release.
See Errors for the full authentication error reference.