API Authentication
Secure authentication methods for the MeasureLLM API
Overview
The MeasureLLM API uses API keys for authentication. All API requests must include a valid API key in the Authorization header.
Getting Your API Key
Create an API Key
- Log in to your MeasureLLM account
- Go to Settings → API Keys
- Click "Create New API Key"
- Enter a name for the key (e.g., "Production" or "Development")
- Click "Create"
- Copy and securely store the key (it won't be shown again)
📸 Screenshot: API Key Creation
Shows the API key creation interface
Using Your API Key
Authorization Header
Include your API key in the Authorization header using the Bearer scheme:
Authorization: Bearer YOUR_API_KEY
Example Request
curl -X GET "https://api.measurellm.com/api/v1/keywords" \ -H "Authorization: Bearer mlm_live_abc123xyz789" \ -H "Content-Type: application/json"
JavaScript/Node.js
const response = await fetch('https://api.measurellm.com/api/v1/keywords', {
headers: {
'Authorization': 'Bearer ' + process.env.MEASURELLM_API_KEY,
'Content-Type': 'application/json'
}
});Python
import requests
import os
response = requests.get(
'https://api.measurellm.com/api/v1/keywords',
headers={
'Authorization': f'Bearer {os.environ["MEASURELLM_API_KEY"]}',
'Content-Type': 'application/json'
}
)API Key Types
| Type | Prefix | Use Case |
|---|---|---|
| Live | mlm_live_ | Production applications |
| Test | mlm_test_ | Development and testing |
API Key Security
Important Security Guidelines
- Never expose API keys in client-side code
- Don't commit API keys to version control
- Use environment variables for key storage
- Rotate keys periodically
- Use test keys for development
Environment Variables
Store your API key in an environment variable:
# .env file (never commit this!) MEASURELLM_API_KEY=mlm_live_abc123xyz789
.gitignore
Ensure your environment file is excluded from version control:
# .gitignore .env .env.local .env.production
Advanced Security Features
MeasureLLM provides additional security features to protect your API keys and restrict access to authorized sources only.
IP Whitelisting
Restrict by IP Address
Limit API key usage to specific IP addresses or CIDR ranges. Ideal for server-to-server integrations where your server IPs are known.
Supported formats:
192.168.1.100- Single IPv4 address10.0.0.0/24- CIDR range (256 IPs)2001:db8::1- Single IPv6 address
Domain Whitelisting
Restrict by Origin Domain
For browser-based applications, restrict API key usage to requests from specific domains. The server validates the Origin or Referer header.
Supported formats:
example.com- Exact domain match*.example.com- All subdomainsapp.mysite.com- Specific subdomain
Note: Domain whitelisting works for browser-based requests that include Origin headers. For server-to-server integrations, use IP whitelisting instead.
Managing API Keys
View Keys
See all your API keys in Settings → API Keys. You can view:
- Key name
- Key prefix (for identification)
- Created date
- Last used date
- Status (active/revoked)
📸 Screenshot: API Keys Management
Shows list of API keys with actions
Rotate Keys
Key Rotation
For security, rotate your API keys periodically:
- Create a new API key
- Update your applications to use the new key
- Verify everything works
- Revoke the old key
Revoke Keys
If a key is compromised or no longer needed:
- Go to Settings → API Keys
- Find the key to revoke
- Click "Revoke"
- Confirm the action
Revoked keys immediately stop working. This action cannot be undone.
Error Responses
401 Unauthorized
Returned when authentication fails:
{
"detail": "Invalid or missing API key"
}403 Forbidden (Security Restrictions)
Returned when your request violates security restrictions:
// IP not in whitelist
{
"detail": "IP address 203.0.113.99 is not allowed for this API key"
}
// Domain not in whitelist
{
"detail": "Domain unauthorized.com is not allowed for this API key"
}
// Missing required scope
{
"detail": "This action requires the 'write' scope"
}Common Causes
- Missing Authorization header
- Incorrect API key
- Revoked or expired API key
- Request from non-whitelisted IP address
- Request from non-whitelisted domain (browser apps)
- API key lacks required scope for the action
Rate Limits
API requests are rate limited based on your plan:
| Plan | Rate Limit |
|---|---|
| Free | 100 requests/hour |
| Pro | 1,000 requests/hour |
| Enterprise | 10,000 requests/hour |
Tip: Use the
X-RateLimit-Remainingresponse header to monitor your remaining requests and avoid hitting limits.