Documentation
Authentication & environments
API keys as implemented β one prefix pair, minted from the business portal.
Key families
| Prefix | Usage |
|---|---|
sk_live_* | Server-side only; full job control. Requires the business to hold an active certificate. |
sk_test_* | Same shape, for integration testing. Does not require an active certificate. |
Keys are minted and revoked from a businessβs /keys page in the portal. Plaintext is shown once, at creation, and never stored β only a SHA-256 hash and a display prefix persist.
How seal_api validates a key
seal_api reads the app.api_key table directly from the same Neon Postgres database this portal writes to β hashes the incoming Bearer token and looks up a non-revoked match. There is no key-sync job between the portal and seal_api.
Rotation
Create a new key from /keys, roll it out, then revoke the old one from the same page. There is no automatic grace period β revoking a key takes effect immediately.