API Key
⚡ 5 min readServer-to-server authentication with project-bound API keys
What API Keys Are
API Keys provide a simple, token-based mechanism for server-to-server authentication. Unlike user-facing authentication (passkeys, TOTP), API keys are designed for backend services that need to call the Transcodes API programmatically.
Use API keys when:
- Your backend server needs to call Transcodes APIs directly
- You are building integrations, webhooks, or automation pipelines
- You need machine-to-machine authentication without user interaction
API keys are for server-side use only. Never expose API keys in client-side code, browser environments, or public repositories
API Key Format
Transcodes API keys follow a structured format that encodes environment and ownership information:
tc_{environment}_{orgPublicId}_{shortToken}_{longToken}| Segment | Description |
|---|---|
tc | Fixed prefix identifying a Transcodes key |
environment | live for production, test for development |
orgPublicId | Your organization’s public identifier |
shortToken | Short identifier for quick key lookup |
longToken | Full cryptographic token for authentication |
Example:
tc_live_org_a1b2c3_sk_4f8e2a_9c7d6b5e4f3a2b1c0d9e8f7a6b5c4d3eCreating API Keys
Log in to Transcodes Console
Go to Transcodes Console and sign in with your account
Open your project
Select the project you want to create an API key for
Navigate to API Keys
In the project settings, locate the API Keys section
Generate a new key
Click Create API Key. Provide a descriptive name for the key (e.g., “Production Backend”, “CI/CD Pipeline”)
Copy the key immediately
The full API key is displayed only once. Copy and store it in a secure location such as your environment variables or secrets manager
The API key cannot be retrieved again after creation. If you lose it, you must generate a new key
Using API Keys
Include the API key in the Authorization header of your HTTP requests:
curl -X GET https://api.transcodes.io/v1/members \
-H "Authorization: Bearer tc_live_org_a1b2c3_sk_4f8e2a_9c7d..." \
-H "Content-Type: application/json"Backend Verification Example (Node.js)
const express = require('express');
const app = express();
app.use('/api/webhook', (req, res, next) => {
const apiKey = req.headers.authorization?.replace('Bearer ', '');
if (!apiKey || !apiKey.startsWith('tc_')) {
return res.status(401).json({ error: 'Invalid API key' });
}
// Forward to Transcodes for validation
next();
});Project Binding
Each API key is scoped to a specific project. This means:
- A key created for Project A cannot access Project B resources
- You can create multiple keys per project for different services
- Revoking a key only affects the specific integration using it
| Scope | Access |
|---|---|
| Project-scoped | Only resources within the bound project |
| Environment-scoped | live keys access production data, test keys access development data |
Redis Caching Strategy
Transcodes uses Redis caching to optimize API key validation performance:
- First request: Key is validated against the database and cached in Redis
- Subsequent requests: Validation uses the cached result, reducing latency
- Cache invalidation: Occurs automatically on key revocation or rotation
This ensures that API key lookups add minimal overhead to your request pipeline.
Key Rotation and Revocation
Rotation Best Practices
- Create the new key before revoking the old one
- Update your services to use the new key
- Verify all services are using the new key
- Revoke the old key once confirmed
Revoking a Key
- Go to your project’s API Keys section in the Console
- Find the key you want to revoke
- Click Revoke
- Confirm the revocation
Revoking an API key is immediate and permanent. Any service using the revoked key will receive 401 Unauthorized responses
What to do next?
After setting up API key authentication:
- Configure JSON Web Key for JWT-based verification
- Set up Webhooks for event-driven integrations
- Review Token API for token management endpoints