Authentication
Guide to API authentication and security.
API Keys
Obtaining an API Key
- Create account at https://www.oneliac.xyz
- Navigate to Settings → API Keys
- Click "Generate New Key"
- Copy key immediately (displayed only once)
Using API Keys
Include API key in request header:
Authorization: Bearer sk_live_xyz...
Example:
curl -H "Authorization: Bearer sk_live_xyz..." \
http://localhost:8000/verify-eligibility
Key Types
Development Keys
- Prefix:
sk_dev_ - Rate limit: 1000 req/min
- Use in non-production environments
Production Keys
- Prefix:
sk_live_ - Rate limit: Configurable per key
- Use in production systems only
Key Management
Rotate Keys
# Generate new key
POST /api/keys/rotate
# Old key disabled after 24 hours
Revoke Keys
DELETE /api/keys/{key_id}
# Immediate revocation
Track Key Usage
GET /api/keys/{key_id}/usage
# Returns requests, errors, latencies
HTTPS/TLS
All production API calls must use HTTPS:
https://api.oneliac.io (Required)
http://localhost:8000 (Development only)
OAuth 2.0 (Coming Soon)
Planned OAuth 2.0 support for:
- Authorization Code Flow
- Client Credentials Flow
- Refresh Tokens
Security Best Practices
- Never commit keys to version control
- Rotate keys quarterly
- Use environment variables
- Monitor key usage
- Revoke unused keys
- Use separate keys per environment
IP Whitelisting
Restrict API key to specific IPs:
POST /api/keys/{key_id}/whitelist
{
"ips": ["203.0.113.0", "203.0.113.1"]
}
Rate Limiting
Authenticated requests get higher limits:
| Tier | Limit | Cost |
|---|---|---|
| Free | 100 req/min | Free |
| Pro | 1000 req/min | $99/mo |
| Enterprise | Custom | Custom |