API Keys
API Keys are the credentials used for admin-level server-to-server authentication with the Gamopanda API. Each key pair consists of an apiKey identifier and an apiSecret — both generated by the platform on creation. They are sent as request headers (x-api-key and x-api-secret) on every admin API call.
The apiSecret is returned only once — at the moment the key is created. It cannot be retrieved again. If you lose it, you must delete the key and create a new one.
How it works
- Create an API key — provide a
nameand optionaldescription. The platform generates theapiKeyandapiSecretvalues automatically and returns the secret in the creation response. - Store the secret securely — copy the
apiSecretfrom the response and store it in your secrets manager or environment variables. It will not be shown again. - Authenticate requests — include both values as headers on every admin API call:
Code
- Rotate when needed — delete the old key and create a new one to rotate credentials. Update your services with the new
apiSecretbefore deleting the old key. - Revoke instantly — set
statustopausedto disable a key without deleting it, orDELETEto remove it permanently.
Fields
| Field | Type | Required | Notes |
|---|---|---|---|
name | string | ✅ | A unique, human-readable label for this key. Max 256 chars. |
description | string | ❌ | Optional notes about what this key is used for. Max 1 024 chars. |
apiKey | string | — | System-generated identifier. Read-only. Max 32 chars. Returned on every GET. |
apiSecret | string | — | System-generated secret. Read-only. Max 64 chars. Returned on POST (create) only — never again. |
status | enum | ✅ | draft · live · paused. Only live keys are accepted for authentication. |
Creating an API key
Code
The apiSecret returned in this response is the only time it will be shown. Store it immediately in a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault, or a .env file that is not committed to version control).
Using the key to authenticate
Once created, include both values as HTTP headers on all admin API requests:
Code
Rotating a key
To rotate credentials without downtime:
- Create a new key —
POST /schema/apikey/recordwith a new name. - Deploy the new credentials — update
x-api-key/x-api-secretin all services that use the old key. - Verify — confirm all services are using the new key successfully.
- Delete the old key —
DELETE /schema/apikey/record/{old-key-id}.
Revoking a key
To temporarily suspend a key without deleting it:
Code
Requests using a paused or draft key will be rejected with 401 Unauthorized.
Access & permissions
| Caller | Allowed operations | Notes |
|---|---|---|
| Admin | CREATE · GET · LIST · UPDATE · DELETE | Full control — admin credentials required for all operations |
| End user | (none) | Not accessible |
| Guest user | (none) | Not accessible |
Security best practices
- Never expose credentials in client-side code — API keys are for server-to-server calls only. The end-user widget uses
x-enduser-access-tokenandx-account-idinstead. - One key per service — create a separate key for each service or environment (staging, production) so you can rotate or revoke them independently.
- Least privilege by name — while all admin keys have the same permissions, naming them clearly (e.g.
"order-service-prod") makes audit logs easier to trace. - Rotate regularly — establish a rotation policy (e.g. every 90 days) and use the rotation workflow above.
Related resources
| Resource | Description |
|---|---|
| Introduction | Overview of both authentication flows — admin (x-api-key / x-api-secret) and end-user (x-enduser-access-token / x-account-id) |
API reference
See the API Reference for full request/response schemas and interactive examples for:
GET /schema/apikey/record— list API keysPOST /schema/apikey/record— create an API keyGET /schema/apikey/record/{id}— get an API key by IDPATCH /schema/apikey/record/{id}— update an API keyDELETE /schema/apikey/record/{id}— delete an API key