How it works
Pass your API key in thex-api-key header on every request. The API validates the key before processing. If it’s missing, malformed, or invalid, the request is rejected immediately.
Key format
All API keys follow the formatsk_live_* (e.g. sk_live_abc123def456). If the key you’re sending doesn’t start with sk_live_, the API will reject it with a 401.
Create and manage keys at console.footstep.ai.
Key states
Keys can be in one of several states. The API checks the key’s state on every request:| State | HTTP status | Error message | What to do |
|---|---|---|---|
| Active | 200 | — | Key is working normally |
| Suspended | 403 | API key is suspended | Contact support. Your key has been temporarily disabled |
| Revoked | 403 | API key has been revoked | Generate a new key in the console. Revoked keys cannot be reactivated |
| Not found | 403 | Invalid API key | Check for typos. If correct, the key may have been deleted |
| Missing or malformed | 401 | Missing or invalid API key format | Ensure you’re sending the x-api-key header with a valid sk_live_* key |
A
401 means the request had no valid key at all. A 403 means the key was recognised but isn’t allowed: it’s been suspended, revoked, or doesn’t exist.Security best practices
- Use environment variables. Store keys in
FOOTSTEP_API_KEYor your platform’s secret manager, not in source code. - Never include keys in query strings. Query strings appear in server logs, browser history, and CDN caches. Always use the
x-api-keyheader. - Rotate keys regularly. Generate a new key in the console, update your services, then revoke the old one.
- Use separate keys per environment. Different keys for development, staging, and production make it easier to rotate and audit.
- Restrict access. Only share keys with services that need them. If a key is compromised, revoke it immediately and generate a replacement.