Authentication
All API requests require authentication via API key. API keys are tied to your Crowd.Credit account and can be managed through the dashboard.
API Key Authentication
Include your API key in the X-API-Key header with every request:
curl -H "X-API-Key: your_api_key_here" \
https://api.crowd.credit/api/v1/accounts/me
Obtaining an API Key
- Log in to the Crowd.Credit App
- Navigate to Settings > API Keys
- Click Create API Key
- Give your key a descriptive name
- Copy the key immediately -- it will only be shown once
Key Management
Permissions
API keys can be scoped with specific permissions:
| Permission | Description |
|---|---|
read | Read-only access to account data |
write | Create and modify resources |
admin | Full access including key management |
Rotation
We recommend rotating API keys every 90 days. To rotate:
- Create a new API key
- Update your application to use the new key
- Verify the new key works
- Delete the old key
Revoking Keys
You can revoke an API key at any time:
- Via Dashboard: Settings > API Keys > Revoke
- Via API:
DELETE /api/v1/keys/{keyId}
Revoked keys are immediately invalidated.
Security Best Practices
- Never expose API keys in client-side code -- keys should only be used server-side
- Use environment variables -- don't hardcode keys in source code
- Set minimum permissions -- only grant the permissions your application needs
- Monitor usage -- review API key activity regularly for unauthorized access
- Use IP allowlists -- restrict API key usage to known IP addresses when possible