Authentication
All PixelByte API requests require authentication via an API key sent in theAuthorization header.
Making Authenticated Requests
Include your API key as a Bearer token in theAuthorization header:
Creating API Keys
- Sign in to the PixelByte Dashboard
- Navigate to Settings > API Keys
- Click Create New Key
- Configure scopes and IP restrictions (optional)
- Copy your key immediately
API Key Scopes
Scopes restrict what operations an API key can perform. When creating a key, you can assign one or more scopes:An empty scopes array (
[]) means the key has full access to all operations. To follow the principle of least privilege, assign only the scopes your application needs.Scope Examples
Full access key (empty array):IP Whitelisting
Restrict API key usage to specific IP addresses for added security. When creating or updating a key, provide a list of allowed IPs:403 IP_NOT_WHITELISTED error.
Key Rotation
Rotate your API keys periodically to minimize the impact of key exposure. Recommended rotation workflow:- Create a new API key with the same scopes
- Update your application to use the new key
- Verify the new key works in production
- Deactivate the old key from the dashboard
PixelByte supports multiple active keys simultaneously, allowing zero-downtime rotation.
Error Codes
Authentication and authorization errors return the following codes:Error Response Example
Security Best Practices
Use Environment Variables
Never hardcode API keys in source code. Use environment variables or a secrets manager.
Limit Scopes
Assign only the scopes each key needs. Avoid full-access keys when possible.
Enable IP Whitelisting
Restrict keys to known server IPs in production environments.
Rotate Regularly
Rotate keys on a regular schedule and immediately if a key may have been exposed.
