Skip to Content
APIAPI Keys

API Keys

API keys authenticate requests to the redu.cloud API.

Treat them as secret credentials.


Create an API key

  1. Open the Console and log in:
https://console.redu.cloud
  1. Navigate to:
https://console.redu.cloud/category/user/api-keys
  1. Click Generate API Key
  2. Copy the key immediately

API keys are only shown once after creation.


Use an API key

Include your API key in every request using the x-api-key header:

x-api-key: YOUR_API_KEY

Example:

curl https://api.redu.cloud/v1/me \ -H "x-api-key: YOUR_API_KEY"

For full examples in different languages, see Authentication.


Scopes

By default an API key has full access. You can instead scope a key to exactly the actions it needs, so an agent or a deployed app carries a least-privilege credential.

When generating a key in the Console, open Advanced to pick specific resource:action capabilities. To create a scoped key programmatically, pass a scopes array (omit it for full access):

{ "name": "nightly-backups", "scopes": ["instance:read", "backup:read", "backup:create", "backup:restore"] }

This key can list instances and create or restore backups, and nothing else. A request outside its scopes returns 403 insufficient_scope.

Creating API keys itself requires the api_key:create scope (or a full-access key), and a key can never grant scopes broader than its creator’s. See Scopes and Permissions for the full grammar, the least-privilege examples, and how to discover every action at runtime via /v1/capabilities.

An API key also inherits the account it was created under. If that account loses access to a project, the key loses access as well.


Rotate a key

To rotate an API key safely:

  1. Generate a new key
  2. Update your applications to use the new key
  3. Verify requests succeed
  4. Revoke the old key

Do not revoke the old key before confirming the new one works.


Revoke an API key

You can revoke a key at any time from the Console.

Revoked keys immediately lose access.


Security best practices

  • Do not commit API keys to Git repositories
  • Do not expose API keys in frontend applications
  • Rotate keys periodically
  • Revoke keys that are no longer in use
Last updated on