How to use API keys safely

API keys let skills, scripts, and external integrations act as your authenticated PredictDog app user on supported routes. Create them from the web product, test with a read endpoint first, and revoke them immediately if they are exposed.

Setup steps

1. Create a key from API Management

Open Profile → API Management, choose the permissions you need, choose an expiry preset if needed, and create the key. The full token is shown once immediately after creation.

2. Use the token as your app credential

API keys act as your authenticated PredictDog app user for supported API routes. Send the token in X-API-Key or in Authorization: Bearer when calling protected endpoints.

3. Test against a read endpoint first

Before wiring the key into an agent or integration, call a read endpoint such as /api/auth/me to confirm the key is valid and linked to the expected account.

4. Revoke and rotate when exposed

If a key is pasted into the wrong place, logged accidentally, or shared outside the intended integration, revoke it from the API Management page and mint a new one.

Rules to follow

Scopes are descriptive today

The API key permissions shown during creation are stored with the key and documented for integration planning. Route-level enforcement may still evolve, so validate the exact endpoints your integration will call.

Management routes still need a web session

API keys are for app access, not for managing themselves. Listing, creating, or revoking API keys should still be done from the signed-in web product.

Use HTTPS in production

Production requests should use the secure API base URL. If you test with plain http on the production domain, you can be redirected before the actual auth check runs.

Quick test flow

Step	What to do	Expected result
1. Mint a key	Create a key from API Management and copy the token immediately.	You receive a token starting with `pd_pat_`.
2. Call auth/me	Send the key to the auth/me endpoint using `X-API-Key` or `Authorization: Bearer`.	The API returns `ok: true` and your account identity.
3. Check a real integration route	Call the exact route your script or skill will use after auth/me succeeds.	The route responds as your authenticated app user.
4. Revoke and retry	Revoke the key from the web page and repeat the same request.	The route should fail auth immediately.

Code samples

Production health check

curl -i https://api.predictdog.xyz/api/auth/me \
  -H "X-API-Key: pd_pat_your_token_here"

Local web proxy check

curl -i http://localhost:3000/api/polybot/auth/me \
  -H "X-API-Key: pd_pat_your_token_here"

Browser or agent fetch example

const response = await fetch('https://api.predictdog.xyz/api/auth/me', {
  headers: {
    'X-API-Key': 'pd_pat_your_token_here',
  },
})

const json = await response.json()
console.log(json)

Setup steps​

1. Create a key from API Management​

2. Use the token as your app credential​

3. Test against a read endpoint first​

4. Revoke and rotate when exposed​

Rules to follow​

Scopes are descriptive today​

Management routes still need a web session​

Use HTTPS in production​

Quick test flow​

Code samples​

Production health check​

Local web proxy check​

Browser or agent fetch example​