Skip to main content

Overview

Limitry uses different authentication methods depending on where your code runs:
Token TypePrefixUse CaseCreated From
API Keylimitry_sk_Server-side API callsDashboard
Client Tokenlimitry_ct_Browser/client-side callsYour backend via API
Personal Access Tokenlimitry_pat_CLI, scripts, automationDashboard
API Keys are secret keys for server-side use only. Never expose them in browsers or mobile apps. For client-side usage, see Client Tokens.

API Keys (Server-Side)

Your API Key is a secret key — it provides full access to your project and should only be used in server-side code.

Getting Your API Key

1

Sign in to the Dashboard

Go to limitry.com/dashboard and sign in to your account.
2

Navigate to API Keys

Click on SettingsAPI Keys in the sidebar.
3

Create a new key

Click Create API Key, give it a name (e.g., “Production” or “Development”), and copy the key.
Your API key is shown only once. Store it securely — you won’t be able to see it again.

Using Your API Key

HTTP Header

Include your API key in the Authorization header: 
curl https://api.limitry.com/v1/usage/check \
  -H "Authorization: Bearer limitry_sk_..." \
  -H "Content-Type: application/json" \
  -d '{"customer_id": "cust_123", "event_type": "api_call"}'

Environment Variable

The recommended approach is to use an environment variable: 
export LIMITRY_API_KEY=limitry_sk_...
The SDKs automatically read from LIMITRY_API_KEY: 
from limitry import Limitry

# Automatically uses LIMITRY_API_KEY
client = Limitry()

Explicit Configuration

You can also pass the key directly (useful for testing): 
client = Limitry(api_key="limitry_sk_...")

Security Best Practices

Use environment variables or a secrets manager. Add .env to your .gitignore.
Create separate keys for development, staging, and production. This limits blast radius if a key is compromised.
Regularly rotate your API keys, especially if team members leave or keys may have been exposed.
Never expose your API key in client-side code (browser, mobile apps). Make API calls from your backend.
Check the dashboard regularly for unexpected usage patterns that might indicate a compromised key.

Key Permissions

API keys have full access to your project’s resources:
PermissionDescription
UsageCheck and record usage events
QuotasCreate, read, update quotas
Rate LimitsCreate, read, update rate limits
CustomersView customer usage data

Revoking Keys

If a key is compromised:
  1. Go to SettingsAPI Keys in the dashboard
  2. Find the compromised key
  3. Click Revoke
The key is immediately invalidated. Update your applications with a new key.

Client-Side Authentication

For browser-based applications, you cannot use API keys directly — they would be exposed to end users. Instead, use Client Tokens. Client tokens are:
  • Short-lived (typically 1 hour)
  • Created by your backend using your API key
  • Scoped with context (e.g., customer ID)
  • Safe for browsers — they can only access the Client API

Client Tokens

Learn how to authenticate browser-based applications

Next Steps

Python SDK

Configure the Python client

TypeScript SDK

Configure the TypeScript client