Authentication

Every request needs an API key.

Create a key in the dashboard. Copy it right away — you only see the full value once. All keys start with cmp_.

Send the key in the X-API-Key header on every request.

Where to put the key

Store your key in the COMPRESR_API_KEY environment variable. The SDKs read it for you. With cURL, pass it as a header on each call.

The SDKs set the X-API-Key header for you on every request. You only attach it by hand when calling the REST API directly.

Key format

Every Compresr key starts with cmp_. Any other prefix is invalid and will be rejected with 401 Unauthorized. Treat the full string as a secret - it is not recoverable, so if you lose it, revoke the old key and create a new one.

Requests with no key or an invalid key return 401 Unauthorized. Requests with a valid key but an exhausted budget return 402 Payment Required.

Best practices

• Use environment variables. Read keys from COMPRESR_API_KEY in every environment - local, CI, staging, production.
• Never commit keys. Add .env to .gitignore. Use a secret manager (1Password, Vault, AWS Secrets Manager, etc.) for production.
• Server-side only. Never embed a key in a browser bundle, mobile app, or any client-side code. The browser will leak it.
• Rotate regularly. Rotate every 90 days, and immediately if a key may have been exposed.
• Set a budget. Cap each key's monthly spend in the dashboard so a leak or runaway loop cannot drain your account.

Rotating a key

Create a new key in the dashboard and deploy it to your environments. Once you have confirmed traffic is flowing on the new key, delete the old one. Keys are revoked immediately on deletion - there is no grace period.

Budgets and expiry

Each key can carry a monthly budget cap and an optional expiry date, both set at creation in the dashboard. When the budget is exhausted, further requests with that key return 402 Payment Required until the next billing cycle or until you raise the cap. Expired keys return 401 Unauthorized after their expiry timestamp.