Authentication

Every request to the Prism API carries an Authorization: Bearer <key> header. Keys are not accepted as query parameters. Putting a key in a URL guarantees it shows up in browser history, server logs, or proxy traces.

Key shape

Keys start with a prefix denoting environment. sk_test_ is for development, sk_live_ is for production. The remainder is 40 random characters of base32. Never log a full key.

sk_test_3hN8r2QvPmK9wXyZAbCdEfGhJkLmNoPqRsT
sk_live_9xK4m7BpHzN3vYwQrLsTuViWbXcDdEeFfG

Sending requests

curl https://api.prism.dev/v1/<endpoint> \
  -H "Authorization: Bearer $PRISM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "..." : "..." }'

Test vs live

Test keys run against the same routes but flag responses with "environment": "test" and don't count against your billable quota. Live keys hit production infrastructure and consume your monthly call budget.

Rotation

Rotating a key is one click in the dashboard: Settings → API keys → Rotate. The new key is issued instantly; the old key continues to work for a 24-hour grace window so your deploy can roll. After 24 hours the old key is revoked. There is no way to recover a revoked key. Generate a new one.

Storage guidance

• Store keys in environment variables, secret managers, or platform-native vaults
• Never commit keys to version control. We monitor common public sources and revoke leaked keys automatically
• Restrict the IAM role that can access the secret in your platform of choice
• For client-side use cases (browser, mobile), proxy through your backend. Prism keys are server-only.

Failure modes

• 401 Unauthorized: missing or malformed header
• 403 Forbidden: key is valid but the project lacks access to the endpoint (e.g. paid-tier-only API on a Hobbyist key)
• 429 Too Many Requests: see Rate limits