Skip to content

How to Manage API Keys

This guide shows you how to create, manage, and secure API keys in Peakhour for programmatic access to your account and domain configurations.

Before you begin: Ensure you have the necessary permissions on your Peakhour account and understand API security best practices.

API Key Overview

Peakhour API keys provide programmatic access to domain configuration, analytics, and management functions. API keys are essential for:

  • Automation: Integrating Peakhour into CI/CD pipelines for automated deployments.
  • Custom Tooling: Building your own tools to interact with Peakhour services.
  • Third-Party Integrations: Connecting monitoring, analytics, or security tools.

All API keys are scoped to your account and have full permissions to manage any domain or setting within that account.

Create an API Key

  1. Log into your Peakhour Account Dashboard.
  2. Navigate to Developer > API Keys in the main menu.
  3. In the "Create new key" section, enter a descriptive Name for your key. This will help you identify its purpose later (e.g., "CI/CD Pipeline Key", "Analytics Reporting Tool").
  4. Click the Save button.

Your new API key will appear in the list. The key value is a long string that you will use for authentication.

Important: Treat your API keys like passwords. Store them securely and never expose them in client-side code or public repositories.

Use Your API Key

To authenticate with the Peakhour API, you must include your key in the Authorization header of your HTTP requests.

Authentication Format: 

Authorization: Bearer <your_api_key>

Example using cURL

Here is an example of how to retrieve all firewall rules for a specific domain using your API key with cURL.

# Replace YOUR_API_KEY with the key you generated
# Replace example.com with your domain name
API_KEY="YOUR_API_KEY"
DOMAIN="example.com"

curl -X GET "https://www.peakhour.io/api/v1/domains/${DOMAIN}/services/rp/rules/firewall/" \
  -H "Authorization: Bearer ${API_KEY}" \
  -H "Content-Type: application/json"

Manage API Keys

The API Keys page lists all the keys you have created.

Viewing Keys

For each key, you can see:

  • Name: The descriptive name you provided.
  • Value: The API key itself.
  • Created: The date and time the key was generated.

Revoking a Key

If a key is compromised or no longer needed, you should revoke it immediately.

  1. Find the key you want to remove in the list.
  2. Click the Remove button in the "Manage" column for that key.
  3. Confirm the action when prompted.

Once a key is revoked, it can no longer be used to access the API. Any applications or scripts using that key will fail to authenticate.

Security Best Practices

  • Secure Storage: Store API keys in a secure location, such as a password manager, an environment variable on your server, or a dedicated secrets management system (e.g., HashiCorp Vault, AWS Secrets Manager).
  • Principle of Least Privilege: Although all keys currently have full access, use different keys for different applications. This makes it easier to revoke access for a specific service if it's compromised, without affecting others.
  • Regular Rotation: For enhanced security, periodically revoke old keys and generate new ones. A 90-day rotation schedule is a common best practice for production keys.
  • Never Commit Keys to Version Control: Do not store API keys directly in your code, especially if it's stored in a Git repository. Use environment variables or other secure methods to load them at runtime.