API Keys

An API Key is the credential used to authenticate requests to the PromptMan REST API. Keys follow the format ph_ + 64 hex characters. Every account has a unique API Key that you can view and manage in Dashboard → Settings → API Keys. ## Get Your API Key 1. **Log in to the Dashboard** — Visit prompt.solokit.run/dashboard and sign in with your account. 2. **Open Settings** — Click "Settings" in the Dashboard navigation, or go directly to /dashboard/settings. 3. **Switch to the API Keys tab** — Click "API Keys" in the left sidebar of the Settings page. 4. **View or copy your key** — Your API Key is displayed here. Click "Copy" to get the full key value. > **TIP**: You can also retrieve your API Token programmatically via the login endpoint — no Dashboard visit required. ## Retrieve via the API ```bash curl -X POST https://prompt.solokit.run/api/auth/token \ -H "Content-Type: application/json" \ -d '{ "email": "you@example.com", "password": "yourpassword" }' ``` ```json { "token": "ph_a1b2c3d4e5f6g7h8...", "userId": "u_1710000000000_abc123", "email": "you@example.com", "name": "Jane" } ``` ## Use the API Key in Requests Pass the key in the Authorization header for every authenticated request: ```bash curl https://prompt.solokit.run/api/prompts \ -H "Authorization: Bearer ph_your_api_key_here" ``` ## Verify Key Validity ```bash curl https://prompt.solokit.run/api/auth/token \ -H "Authorization: Bearer ph_your_api_key_here" ``` ```json // Valid key — returns user info { "token": "ph_a1b2c3...", "userId": "u_xxx", "email": "you@example.com", "name": "Jane" } // Invalid key — returns 401 { "error": "Unauthorized" } ``` ## Rotate / Reset Your API Key If your key is compromised, revoke it immediately and generate a new one: ```bash curl -X DELETE https://prompt.solokit.run/api/auth/token \ -H "Authorization: Bearer ph_your_current_key" ``` ```json // Returns newly generated token { "token": "ph_new_token_here..." } ``` > **WARNING**: The old key is invalidated immediately. Update all applications using it as soon as possible. ## Code Examples ### cURL / cURL ```bash curl https://prompt.solokit.run/api/prompts \ -H "Authorization: Bearer ph_your_api_key" ``` ### JavaScript / JavaScript ```javascript const response = await fetch('https://prompt.solokit.run/api/prompts', { headers: { 'Authorization': 'Bearer ph_your_api_key', 'Content-Type': 'application/json', }, }); const { data } = await response.json(); ``` ### Python / Python ```python import requests headers = {"Authorization": "Bearer ph_your_api_key"} resp = requests.get( "https://prompt.solokit.run/api/prompts", headers=headers ) data = resp.json() ``` ## Security Best Practices | Practice | Description | | --- | --- | | Use environment variables | Store your API Key in .env files or system env vars — never hardcode it in source | | Exclude from version control | Add .env to .gitignore to prevent accidental key exposure | | Rotate regularly | Reset your API Key periodically, especially after team changes or suspected leaks | | Principle of least privilege | Only pass the key where necessary; never expose it in client-side code | | Monitor usage | Check the Dashboard for API call statistics to detect unexpected access patterns | > **WARNING**: Never commit your API Key to a public repository or expose it in client-side JavaScript. If a key is compromised, use the reset endpoint immediately to generate a new one.