Authentication

Authenticate your API requests with API keys.

All API requests require authentication using an API key.

Getting an API key

Log in to your oqui dashboard
Go to Settings > Developer > API Keys
Click Create API Key
Give your key a descriptive name
Copy the key immediately (it won't be shown again)

API keys are prefixed with ckiq_live_ for production or ckiq_test_ for test environments.

Using your API key

Include your API key in the Authorization header of every request:

Authorization: Bearer ckiq_live_your_api_key_here

Example request

curl -X POST https://oqui.io/api/v1/assess \
  -H "Authorization: Bearer ckiq_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{ ... }'

API key security

Best practices:

Never commit API keys to version control
Use environment variables to store keys
Rotate keys periodically
Use separate keys for development and production
Monitor API usage for anomalies

If a key is compromised:

Immediately revoke the key in your dashboard
Create a new key
Update your applications
Review API logs for unauthorized usage

Rate limiting

Each API key has a rate limit of 60 requests per minute by default.

When you exceed the limit, you'll receive a 429 response:

{
  "error": "Rate limit exceeded",
  "retry_after": 60,
  "limit": 60
}

Wait for retry_after seconds before retrying.

Credits

API requests consume credits from your account balance:

1 credit per successful assessment
Failed assessments (processing errors) don't consume credits
Check your balance in the dashboard or via API

If you have insufficient credits, you'll receive a 402 response:

{
  "error": "Insufficient credits",
  "credits_required": 1,
  "credits_available": 0
}

Managing API keys

In your dashboard, you can:

View all keys - See name, prefix, and creation date
Revoke keys - Immediately disable a key
Create new keys - Generate additional keys
View usage - See request counts and patterns

Each team account can have multiple API keys for different purposes (e.g., production, staging, different applications).

API key security

Best practices:

Never commit API keys to version control

Use environment variables to store keys

Rotate keys periodically

Use separate keys for development and production

Monitor API usage for anomalies

If a key is compromised:

Immediately revoke the key in your dashboard

Create a new key

Update your applications

Review API logs for unauthorized usage

Credits

API requests consume credits from your account balance:

1 credit per successful assessment

Failed assessments (processing errors) don't consume credits

Check your balance in the dashboard or via API

If you have insufficient credits, you'll receive a 402 response:

{ "error": "Insufficient credits", "credits_required": 1, "credits_available": 0 }

Managing API keys

In your dashboard, you can:

View all keys - See name, prefix, and creation date

Revoke keys - Immediately disable a key

Create new keys - Generate additional keys

View usage - See request counts and patterns

Each team account can have multiple API keys for different purposes (e.g., production, staging, different applications).