Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.streampixel.io/llms.txt

Use this file to discover all available pages before exploring further.

An API key authenticates your REST requests against the Streampixel API. Keys are issued per user and scope to the projects that user has access to. They are passed in the JSON body of each request alongside your userId.

How keys are stored

Streampixel encrypts every API key at rest using AES-256-CBC. The stored value has the format {iv_hex}:{encrypted_hex}. You only ever see the plaintext key once — at the moment it is generated. Streampixel cannot recover a lost key; you must rotate to a new one.

Generate a key

1

Sign in to the dashboard

Open streampixel.io and sign in with your Google account.
2

Open your account menu

Click your account name in the top-right corner.
3

Request the key

Click Request API Key. The key is sent to your registered email address and shown once in the dashboard.
4

Copy and store it

Save the key in a password manager or secrets store immediately.
An API key is shown only once. If you lose it, you must generate a new one — there is no way to retrieve the original.

Find your User ID and Project ID

Every API call needs both your userId and a projectId. Both are visible in the dashboard.

Locating your IDs

Step-by-step guide to finding userId and projectId in the dashboard.

Use a key in a request

Pass the key as the apiKey field in the JSON body. It is never sent as an Authorization header. 
curl -X POST https://api.streampixel.io/pixelStripeApi/projects/upload-file \
  -H "Content-Type: application/json" \
  -d '{
    "apiKey": "YOUR_API_KEY",
    "userId": "YOUR_USER_ID",
    "projectId": "YOUR_PROJECT_ID",
    "fileUrl": "https://storage.example.com/build.zip"
  }'

Key scope

A key inherits the access of the user it was generated for:
  • Account owner — the key works on every project in the account.
  • Team member with FULL access — the key works on every project in their access list.
  • Team member with READONLY access — the key only works for read endpoints on projects in their access list.
If a team member is removed from a project, their key immediately stops working on that project.

Rotate a key

Rotation is one-step: requesting a new key invalidates the previous one.
1

Generate a new key

Click Request API Key in your account menu.
2

Update your integrations

Replace the old key everywhere it is used — env vars, CI secrets, deploy configs.
3

Verify

Make a test request. A 401 Unauthorized: Invalid API Key means an integration still references the old value.
Generating a new key takes effect immediately. Any service still using the old key will fail with 401 until you update it.

Security best practices

  • Never commit a key to source control. Treat it like a password.
  • Use environment variables or a managed secrets store (AWS Secrets Manager, GCP Secret Manager, Doppler, 1Password, Vault).
  • Server-side only. The key grants write access to your projects — do not embed it in a browser bundle, mobile binary, or any client your users can decompile.
  • Rotate on any suspected exposure. Accidentally pushed to GitHub? Rotate immediately, then scrub the commit.
  • Rotate periodically as part of routine hygiene, even without a known leak.
  • Use HTTPS only. The API does not accept plain HTTP.
  • Limit team-member scope. Give teammates READONLY or per-project access where possible — their keys inherit the same restrictions.

Troubleshooting

StatusMessageCause
401Unauthorized: Invalid API KeyKey was rotated, mistyped, or belongs to a different account
401Invalid UseruserId does not match the key’s owner
403ForbiddenKey owner has no access to the requested project

Next steps

API authentication

Full reference for the auth model used by every endpoint.

Find your IDs

Locate userId and projectId for use in requests.

Team members

Control who can issue keys and which projects they cover.

Webhooks

Get push notifications instead of polling the API.