Authentication
Every request to the Prooflio API must include a valid API key. This page covers how to create keys, attach them to requests, and keep your credentials secure.
API Keys
Creating a Key
- Open your Prooflio dashboard.
- Navigate to Settings > API Keys.
- Click Create API Key.
- Give the key a descriptive name (e.g., “Website Integration” or “CI Pipeline”).
- Optionally, set an expiration date.
- Click Generate. Copy the key immediately — it will not be shown again.
The full key is only displayed once at creation time. Prooflio stores a SHA-256 hash of the key for security. If you lose it, you must create a new key.
Plan Requirements
API access is available on Growth and Agency plans:
| Plan | API Access | Rate Limit |
|---|---|---|
| Free | No | — |
| Starter | No | — |
| Growth | Yes | 60 requests/minute |
| Agency | Yes | 200 requests/minute |
Key Management
API keys are managed by users with the Owner or Admin role in the organization. Each key tracks its lastUsedAt timestamp for audit purposes.
Expiration
When creating a key you may set an optional expiration date. Expired keys return a 401 Unauthorized error and must be regenerated. If no expiration is set, the key remains valid until it is manually revoked.
Using the Key
Pass your API key in the Authorization header as a Bearer token:
curl "https://app.prooflio.io/api/v1/reviews" \
-H "Authorization: Bearer YOUR_API_KEY"Do not pass the API key as a query parameter. Query parameters may be logged by proxies and servers, exposing your credentials.
Key Lifecycle
You can view and manage all keys from the Settings > API Keys page:
| Action | Description |
|---|---|
| View | See the key name, prefix, creation date, last used date, and expiration. The full key value is hidden after creation. |
| Revoke | Immediately invalidate a key. Any in-flight request using that key will fail. This action is irreversible. |
Security Best Practices
Treat your API key like a password. Anyone with access to the key can read your organization’s review data.
- Never commit keys to version control. Use environment variables or a secrets manager instead.
- Set expiration dates for keys used in temporary integrations or by contractors.
- Rotate keys regularly. Revoke and regenerate keys every 90 days as a best practice.
- Monitor usage. Check the
lastUsedAttimestamp on your keys to detect unauthorized use.
Error Responses
401 Unauthorized
Returned when the API key is missing, malformed, expired, or revoked.
{
"error": "unauthorized",
"message": "Invalid or missing API key.",
"details": []
}403 Forbidden
Returned when the API key is valid but the organization’s plan does not include API access.
{
"error": "forbidden",
"message": "API access requires a Growth plan or higher.",
"details": []
}