Skip to main content

Overview

Percify authenticates programmatic access via static API keys scoped to a user account. Keys must be kept server-side—never expose them in client bundles.

Obtaining a Key

  1. Visit Dashboard → Settings → API Keys
  2. Generate new key (label for internal tracking)
  3. Copy once; regenerate if leaked

Request Format

Include header: 
Authorization: Bearer <API_KEY>
Content-Type header required for JSON POST bodies.

Example

curl -X POST https://api.percify.io/v1/images/generate \
  -H "Authorization: Bearer $PERCIFY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"prompt":"vibrant portrait, rim light"}'

Verifying Identity

Server resolves the user from key → attaches userId in request context → ban & credit checks applied.

Rotation Strategy

ScenarioAction
Routine securityRotate quarterly
Suspected leakRevoke + regenerate immediately
Ownership transferDelete old keys before handoff

Handling Failures

StatusMeaningFix
401Missing/invalid keyProvide valid header
403Banned userAppeal or resolve violation
429Rate limitBackoff + retry

Storing Keys

EnvironmentMethod
Local Dev.env.local (never commit)
CI/CDPlatform secret manager
ProductionVault / encrypted secrets store

Do Not

  • Embed in client-side JavaScript
  • Log full key values
  • Share keys across unrelated services
  • [/quickstart]
  • [/percify/security]
  • [/api-reference/introduction]
Next: browse endpoints in [/api-reference/introduction].