API keys
API keys authenticate every request to the QDivZero gateway. The platform never stores plaintext keys — the create endpoint returns the secret exactly once. After that, only a short prefix is kept for display.
Plaintext is one-time
When you create a key, the full token is shown in the response and on the success screen. Copy it to your secret manager before leaving the page. If you lose it, revoke the key and create a new one.
Operations
| Operation | Endpoint | Description |
|---|---|---|
| List | GET /api-keys | Returns the keys for the current account, sorted by creation date desc. |
| Create | POST /api-keys | Generates a new key, returns the plaintext once. Plaintext is never stored. |
| Revoke | POST /api-keys/{id}/revoke | Marks the key as revoked. Existing in-flight requests complete normally. |
Token format
Tokens follow the shape qdiv0_sk_<32 random base62 chars>. The platform stores a SHA-256 hash of the full token plus the first eight characters as the visible prefix.
terminal
1# Example prefix
2qdiv0_sk_aB12cD34…Lifecycle
| State | Meaning |
|---|---|
| active | The key is valid and can authenticate every request. |
| revoked | The key is rejected by the gateway. Revocation is immediate and cannot be undone. |
Security checklist
- Store keys in a dedicated secret manager (AWS Secrets Manager, GCP Secret Manager, Doppler, etc.).
- Treat the plaintext as a one-time secret — copy it on creation and never log it.
- Use a separate key per environment (dev / staging / prod) and per service.
- Rotate keys on a fixed schedule and immediately on any suspected leak.
- Prefer short-lived automation keys and rotate on every deploy.
Authenticating with a key
Pass the token in the Authorization header. The platform also accepts the key in a short-lived cookie when called from the dashboard.
curl
1curl https://api.qdiv0.com/v1/billing/balance \
2 -H "Authorization: Bearer $QDIV0_API_KEY"