Authorization header. API keys are tied to your account, carry specific permission scopes, and are the primary mechanism for tracking and enforcing your plan’s rate limits. There are no public endpoints — even read-only queries require a valid key.
Getting an API Key
1
Sign in to your dashboard
Go to surchi.xyz/dashboard and sign in with your account credentials.
2
Navigate to API Keys
Open the left sidebar and click Settings, then select API Keys from the settings menu.
3
Click "Create New Key"
Click the Create New Key button in the top-right corner of the API Keys page.
4
Name your key and choose its scope
Give the key a descriptive name (e.g.
prod-trading-bot or dev-portfolio-app) so you can identify it later. Select the minimum set of scopes your application needs. See the Key Scopes table below for available options.5
Copy the key immediately
After creation, your full API key is displayed exactly once. Copy it now and store it in a secure secrets manager or environment variable. If you lose it, you will need to revoke the key and create a new one.
Using Your API Key
Pass your API key in theAuthorization header using the Bearer scheme on every request. The header must be formatted exactly as shown — including the Bearer prefix followed by a single space.
Key Scopes
When you create an API key, you assign it one or more scopes that define what it is allowed to do. Use the narrowest set of scopes your application actually requires — this limits the blast radius if a key is ever exposed.Key Rotation
You should rotate your API keys periodically and immediately after any suspected exposure. To rotate a key:- Create a new key with the same scopes as the one you are replacing.
- Deploy the new key to your application and verify it works correctly.
- Revoke the old key from the Settings → API Keys dashboard.
Security Best Practices
Keeping your API keys secure is your responsibility. Follow these practices to minimise risk:- Use environment variables. Never hard-code API keys in your source code. Load them at runtime from environment variables or a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or Doppler.
- Never commit keys to source control. Add a
.envfile (or whichever file holds your secrets) to.gitignore. Scan your repository history if you suspect a key was ever committed, and rotate it immediately. - Use narrow scopes. Issue separate keys for separate applications, each with only the scopes it needs. A compromised read-only key cannot be used to create or destroy alerts.
- Monitor key usage. The SURCHI dashboard shows per-key request volume and error rates. Unusual spikes may indicate your key has been shared or leaked.
- Rotate keys regularly. Even without a known incident, rotating keys every 90 days is a sound practice for production applications.
Authentication Errors
If your key is missing, malformed, or has been revoked, the API returns HTTP401. If your key is valid but lacks the required scope for the endpoint you called, it returns HTTP 403.