Skip to main content

API Keys

QRForge uses server-to-server API keys to authenticate and authorize all public API traffic.
API keys are managed per user account and scoped to your subscription plan and associated rate limits.

Creating an API Key

API keys are created in the QRForge dashboard:

Dashboard → Settings → API Keys → “Create API Key”

Each key is generated in the format:

api_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

QRForge does not issue test keys.
All keys are live keys, subject to your plan’s API quotas.

Authentication Header

All API requests must include the following header:

x-api-key: YOUR_API_KEY

Example:

curl -X GET \
  -H "x-api-key: api_live_123456789" \
  "https://api.qrforge.link/v1/qr-codes"

Missing or incorrect API keys return:

401 unauthorized

API Key Permissions

Each API key is tied to:

  • Your user account
  • Your active subscription plan
  • Your per‑minute and per‑day rate limits
  • Your active project set

API keys inherit the same permissions you have in the dashboard.
They can:

  • Create QR codes
  • Update QR codes
  • Retrieve QR codes
  • List QR codes
  • Manage projects (create, list)

They cannot:

  • Modify billing
  • Delete QR codes (QRs are archived, not deleted)
  • Modify subscription state
  • Access internal system data

Rotating API Keys

You can rotate a key at any time from the dashboard.

When rotated:

  1. The old key is immediately invalidated
  2. A new key is issued
  3. API requests using the old key will begin to return:
401 unauthorized — API key not found or inactive

Revoking API Keys

You may revoke any API key at any time.
Once revoked, the key cannot be recovered.

Use revocation if:

  • You suspect your key is compromised
  • You no longer need automation on that key
  • You want to reduce exposure risk

Best Practices

  • Do not expose API keys in frontend code.
    They are backend‑only.

  • Store your key in environment variables, not hardcoded source files.

  • Rotate keys regularly (every 60–90 days recommended).

  • Use separate keys for separate environments or workloads.

  • Never commit keys into Git repositories.

Example Error Responses

StatusCodeMeaning
401unauthorizedAPI key missing or invalid
401api_key_inactiveKey revoked or disabled
429rate_limit_minute / dayYour quota was exceeded

If you need higher throughput or multiple API keys, contact support for an Enterprise plan.