Authentication
All MarkdownAPI.io API endpoints require authentication using API keys. API keys are persistent credentials that never expire, making them ideal for programmatic access, AI agents, and automation.
Why API keys? They’re simple, secure, and never expire. Perfect for server-to-server communication, AI agents, scripts, and CI/CD pipelines.
Quick Start: Get Your API Key
The fastest way to get started is to create an API key through the dashboard:
-
Navigate to the API Keys page
- Go to Dashboard → API Keys or visit markdownapi.io/dashboard/api-keys
-
Click “Create API Key”
- Enter a descriptive name (e.g., “Production API”, “Development”, “CI/CD Pipeline”)
-
Copy your key immediately
- The key is shown only once and cannot be retrieved later
- Click the copy button to save it to your clipboard
-
Start making API calls
- Include your key in the
Authorizationheader
- Include your key in the
Critical: API keys are displayed only once during creation. Save your key immediately in a secure location (environment variables or secrets manager). If you lose it, you’ll need to create a new one.
Using Your API Key
Include your API key in the Authorization header with the Bearer scheme:
cURL
curl "https://markdownapi.io/api/projects" \
-H "Authorization: Bearer YOUR_API_KEY"API Key Format
API keys follow the format: sk_ followed by a URL-safe random string.
Example: sk_5KJ2hN9mP3qR7sT8uV1wX4yZ6aB0cD2e
Creating API Keys
Via Dashboard (Recommended)
Creating API keys through the dashboard is the recommended method, especially for getting started.
Step-by-step guide:
-
Navigate to API Keys
- Go to Dashboard → API Keys
- Or visit markdownapi.io/dashboard/api-keys directly
-
Enter a descriptive name
- Use meaningful names that indicate the key’s purpose
- Good examples:
- “Production API Server”
- “Development Testing”
- “CI/CD Pipeline”
- “Mobile App v2”
- Descriptive names help you identify keys when you have multiple
-
Click “Create API Key”
- The system generates a cryptographically secure key
-
Copy and save your key
- A modal displays your new API key
- This is the only time you’ll see the full key
- Click the copy button to save it
- Store it securely (environment variables, secrets manager, password manager)
-
Acknowledge and complete
- Check the acknowledgment box confirming you’ve saved the key
- Click “Done”
What you’ll see in the dashboard:
After creating a key, it appears in your API Keys list with:
- Name: The descriptive name you provided
- Key prefix: First 12 characters (e.g.,
sk_5KJ2hN9m...) for identification - Created date: When the key was created
- Last used: Timestamp of most recent API call (or “Never used”)
- Status: Active or Inactive
Tip: Create separate API keys for different environments (development, staging, production) and applications. This makes it easier to rotate or revoke keys without affecting other services.
Programmatically (For Automation)
For CI/CD pipelines, automation scripts, or programmatic key management, you can create API keys via the API.
Prerequisites: You need an existing API key to create additional keys. Create your first key via the dashboard, then use it to generate more keys programmatically.
cURL
curl -X POST "https://markdownapi.io/api/keys" \
-H "Authorization: Bearer YOUR_EXISTING_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "CI/CD Pipeline Key"
}'Response:
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"key": "sk_5KJ2hN9mP3qR7sT8uV1wX4yZ6aB0cD2e",
"key_prefix": "sk_5KJ2hN9m",
"name": "CI/CD Pipeline Key",
"created_at": "2025-01-09T10:00:00Z",
"expires_at": null,
"warning": "This is the only time you'll see this key. Please save it securely!"
}Managing Your API Keys
Viewing Your Keys
Access your API keys dashboard at /dashboard/api-keys to view all your keys.
Information displayed:
- Key Name: The descriptive name you provided
- Key Prefix: First 12 characters (e.g.,
sk_5KJ2hN9m...) - Status Badge: Active or Inactive
- Created Date: When the key was created
- Last Used: Most recent API request timestamp
- Shows “Never used” if the key hasn’t been used yet
- Updates after each successful API request
Note: The full API key is never displayed again after creation. Only the prefix is shown for security.
Revoking API Keys
Revoke a key when it’s no longer needed or if it’s been compromised:
-
Navigate to API Keys
- Go to Dashboard → API Keys
-
Find the key
- Locate it by name or prefix
-
Click “Revoke”
- Click the red “Revoke” button next to the key
-
Confirm revocation
- Read the warning in the confirmation dialog
- Applications using this key will immediately lose access
- Click “Revoke Key” to confirm
-
Verify
- The key’s status changes to “Inactive”
- The key remains visible but cannot be used
- API calls with this key will receive 401 errors
Warning: Revoking a key takes effect immediately. Any applications or scripts using the revoked key will stop working instantly. Update your applications with a new key before revoking the old one.
Rotating API Keys
For security best practices, rotate your API keys regularly (every 90 days recommended).
Zero-downtime rotation process:
-
Create a new API key
- Give it a descriptive name (e.g., “Production Key v2”)
- Copy and save the new key
-
Update your applications
- Deploy the new key to all services
- Test thoroughly in staging first
-
Verify everything works
- Monitor your applications
- Check for authentication errors
- Confirm all services are using the new key
-
Revoke the old key
- Only after confirming the new key works everywhere
- This ensures zero downtime
Best practice timeline:
- Day 1: Create and deploy new key
- Day 2-7: Monitor for issues, keep both keys active
- Day 8: Revoke old key once confident new key is working
Key Usage Tracking
Monitor your API key usage to:
- Verify keys are being used by the intended applications
- Identify unused keys that can be revoked
- Detect unusual activity patterns
- Track which services are most active
The “Last used” timestamp updates after each successful API request, helping you identify:
- Active keys: Recently used (within days)
- Dormant keys: Haven’t been used in weeks/months
- Unused keys: Never used (may have been created but not deployed)
Security Best Practices
Essential Rules
-
Never commit keys to version control
- Add keys to
.gitignore - Use environment variables or secrets management
- Review commits before pushing
- Add keys to
-
Use environment variables
- Development:
.envfiles (not committed) - Production: Cloud secrets manager (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault)
- CI/CD: Platform secrets (GitHub Secrets, GitLab CI/CD variables)
- Development:
-
Rotate keys regularly
- Every 90 days recommended
- Immediately if compromised
- Use zero-downtime rotation process
-
Use separate keys per environment
- Development key for local testing
- Staging key for pre-production
- Production key for live services
- CI/CD key for automated builds
-
Revoke unused keys immediately
- Don’t leave dormant keys active
- Clean up after projects end
- Revoke keys from departing team members
Advanced Security
Click to expand security deep dive
Secure Key Storage
Development:
# .env file (add to .gitignore)
MARKDOWN_API_KEY=sk_5KJ2hN9mP3qR7sT8uV1wX4yZ6aB0cD2eProduction (Cloud Secrets Manager):
# AWS Secrets Manager
aws secretsmanager create-secret \
--name markdown-api-key \
--secret-string "sk_5KJ2hN9mP3qR7sT8uV1wX4yZ6aB0cD2e"
# GCP Secret Manager
echo -n "sk_5KJ2hN9mP3qR7sT8uV1wX4yZ6aB0cD2e" | \
gcloud secrets create markdown-api-key --data-file=-CI/CD (GitHub Actions):
# .github/workflows/deploy.yml
- name: API Call
env:
API_KEY: ${{ secrets.MARKDOWN_API_KEY }}
run: |
curl -H "Authorization: Bearer $API_KEY" \
https://markdownapi.io/api/projectsIncident Response
If a key is leaked:
- Immediately revoke the key via dashboard
- Create a new key and deploy it
- Review recent activity for unauthorized use
- Update all applications with the new key
- Audit your codebase to ensure no other keys are exposed
Multi-Environment Strategy
Recommended setup:
Development: sk_dev_... (for local testing)
Staging: sk_stg_... (for pre-production)
Production: sk_prod_... (for live services)
CI/CD: sk_ci_... (for automated tests)Use naming conventions in the key name to track environments easily.
Monitoring and Alerts
Set up monitoring to detect:
- Unusual API call patterns
- Unexpected geographic locations
- High volume of failed authentication attempts
- API keys not used in 90+ days
Error Responses
401 Unauthorized
Authentication failed. The API key is missing, invalid, or revoked.
Causes:
- Missing
Authorizationheader - Invalid or malformed API key
- Revoked API key
- Incorrect header format
Example Response:
{
"detail": "Invalid authentication credentials"
}Solutions:
- Verify the
Authorizationheader is included - Check the key format:
Authorization: Bearer sk_... - Ensure the key hasn’t been revoked
- Verify you’re using the correct key (not a truncated/prefix version)
- Create a new key if the old one is lost or compromised
403 Forbidden
Valid authentication but insufficient permissions.
Causes:
- Attempting to access resources owned by another user
- Trying to modify resources you don’t have access to
- API key lacks required permissions
Example Response:
{
"detail": "You do not have permission to access this resource"
}Solutions:
- Verify you own the requested resource
- Ensure you’re accessing resources in your account
- Check that you’re authenticated with the correct user’s API key
Rate Limiting
Rate limits are applied per API key. Current limits:
- 1000 requests per hour for standard accounts
- 10000 requests per hour for premium accounts
When rate limited, the API returns:
Status: 429 Too Many Requests
Headers:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1704801600Response:
{
"detail": "Rate limit exceeded. Try again in 1234 seconds."
}Best Practices:
- Monitor rate limit headers in responses
- Implement exponential backoff for retries
- Cache responses when appropriate
- Batch operations when possible
- Create multiple API keys if you need higher throughput (each key has independent limits)
Complete Example
Here’s a complete workflow from creating your first API key to making API calls:
Python
import httpx
import os
async def get_started_with_markdown_api():
"""Complete workflow: Get API key and make first calls."""
# Step 1: Get your API key from dashboard
# Go to https://markdownapi.io/dashboard/api-keys
# Click "Create API Key" and copy it
api_key = os.getenv("MARKDOWN_API_KEY") # Store in environment variable
if not api_key:
print("❌ Please set MARKDOWN_API_KEY environment variable")
return
print(f"✓ Using API key: {api_key[:12]}...")
async with httpx.AsyncClient() as client:
# Step 2: List your projects
projects_response = await client.get(
"https://markdownapi.io/api/projects",
headers={"Authorization": f"Bearer {api_key}"}
)
projects = projects_response.json()
print(f"✓ You have {len(projects['projects'])} projects")
# Step 3: Create a new project
create_response = await client.post(
"https://markdownapi.io/api/projects",
headers={"Authorization": f"Bearer {api_key}"},
json={"name": "My First Project"}
)
project = create_response.json()
print(f"✓ Created project: {project['name']}")
# Step 4: Upload a file
with open("README.md", "rb") as f:
upload_response = await client.post(
f"https://markdownapi.io/api/projects/{project['id']}/files",
headers={"Authorization": f"Bearer {api_key}"},
files={"file": ("README.md", f, "text/markdown")}
)
file_data = upload_response.json()
print(f"✓ Uploaded file: {file_data['filename']}")
print("\n🎉 Success! You're ready to use the API.")
# Usage
# Set your API key: export MARKDOWN_API_KEY=sk_...
# Then run: await get_started_with_markdown_api()Next Steps
Now that you understand authentication, you’re ready to start using the API:
- Quick Start Guide - Complete tutorial
- Projects API - Manage projects
- Files API - Upload and manage files