Skip to main content

API Keys

API keys are your credentials for accessing Fincept API. This guide covers key types, obtaining keys, managing them, and security practices.

Key Types

Registered User Keys

Permanent keys for full API access. Format: fk_user_ + 43-character random string Example: fk_user_Hy8kL2mN9pQ1rS3tU4vW5xY6zA7bC8dE9fG0hI1jK2lM3nO4pQ5rS6tU7vW8xY9z Features:
FeatureAvailable
ValidityPermanent (never expires)
Credit ManagementFull access
Tier AccessBased on subscription
Usage AnalyticsComplete history
MFA SupportYes
Key RegenerationAnytime

Guest Keys

Temporary 24-hour keys for testing. Format: fk_guest_ + 43-character random string Example: fk_guest_Aa1bB2cC3dD4eE5fF6gG7hH8iI9jJ0kK1lL2mM3nN4oO5pP6qQ7rR8sS9tT0uU1v Features:
FeatureAvailable
Validity24 hours
Credit Management50 credits (no top-up)
Tier AccessFree tier only
Usage AnalyticsLimited
MFA SupportNo
Key RegenerationNo

Obtaining API Keys

Get Registered User Key

Step 1: Register 
curl -X POST https://finceptbackend.share.zrok.io/user/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "johndoe",
    "email": "[email protected]",
    "password": "SecurePass123!"
  }'
Step 2: Verify Email (OTP) 
curl -X POST https://finceptbackend.share.zrok.io/user/verify-otp \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "otp": "123456"
  }'
Response includes your API key: 
{
  "success": true,
  "data": {
    "api_key": "fk_user_your_permanent_key",
    "message": "Account verified successfully"
  }
}
Save this key immediately! Store it in a password manager or environment variable. It’s only shown once.

Get Guest Key

No email required - instant access: 
curl -X POST https://finceptbackend.share.zrok.io/guest/create \
  -H "Content-Type: application/json" \
  -d '{
    "device_id": "laptop-chrome-001",
    "device_name": "Development Laptop",
    "platform": "macos"
  }'
Response: 
{
  "success": true,
  "data": {
    "api_key": "fk_guest_temporary_key",
    "credit_balance": 50,
    "expires_at": "2024-01-16T10:30:00Z"
  }
}

Using Your API Key

Authentication Header

Include in every request: 
curl https://finceptbackend.share.zrok.io/user/profile \
  -H "X-API-Key: fk_user_your_key_here"

Environment Variables

Linux/macOS: 
export FINCEPT_API_KEY="fk_user_your_key"
curl https://finceptbackend.share.zrok.io/user/profile \
  -H "X-API-Key: $FINCEPT_API_KEY"
Windows CMD: 
set FINCEPT_API_KEY=fk_user_your_key
curl https://finceptbackend.share.zrok.io/user/profile ^
  -H "X-API-Key: %FINCEPT_API_KEY%"
Windows PowerShell: 
$env:FINCEPT_API_KEY="fk_user_your_key"
curl https://finceptbackend.share.zrok.io/user/profile `
  -H "X-API-Key: $env:FINCEPT_API_KEY"

In Code

Python: 
import os
import requests

API_KEY = os.getenv("FINCEPT_API_KEY")
headers = {"X-API-Key": API_KEY}

response = requests.get(
    "https://finceptbackend.share.zrok.io/user/profile",
    headers=headers
)
JavaScript/Node.js: 
const API_KEY = process.env.FINCEPT_API_KEY;

const response = await fetch(
  "https://finceptbackend.share.zrok.io/user/profile",
  {
    headers: { "X-API-Key": API_KEY }
  }
);

Managing Your API Key

Retrieve Existing Key

Login to get your current API key: 
curl -X POST https://finceptbackend.share.zrok.io/user/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePass123!"
  }'
Response: 
{
  "success": true,
  "data": {
    "api_key": "fk_user_your_existing_key",
    "message": "Login successful"
  }
}

Regenerate API Key

If compromised, regenerate immediately: 
curl -X POST https://finceptbackend.share.zrok.io/user/regenerate-api-key \
  -H "X-API-Key: fk_user_old_key"
Response: 
{
  "success": true,
  "data": {
    "api_key": "fk_user_new_key",
    "message": "API key regenerated successfully"
  }
}
Old key stops working immediately! Update all applications before regenerating.

View Key Info

Check when your key was created: 
curl https://finceptbackend.share.zrok.io/user/profile \
  -H "X-API-Key: fk_user_your_key"
Response includes: 
{
  "api_key_created_at": "2024-01-15T10:30:00Z",
  "api_key_status": "active"
}

Key Lifecycle

Registered User Keys

States:
  • active - Key is valid and usable
  • suspended - Temporarily disabled (admin action)
  • revoked - Permanently disabled after regeneration

Guest Keys

Auto-cleanup: Expired guest keys are automatically deleted after 7 days.

Security Features

Key Validation

Every request validates:
  1. Key format matches fk_user_* or fk_guest_*
  2. Key exists in database
  3. Key status is active
  4. User account is verified
  5. Key hasn’t expired (for guests)

Rate Limiting

API keys are rate-limited to prevent abuse:
Account TypeLimit
Guest60/hour, 50/day
Free500/hour
Basic1,000/hour
Standard2,000/hour
Pro5,000/hour

IP Tracking

All key usage is logged with IP address for security auditing.

Troubleshooting

Invalid API Key Error

{
  "success": false,
  "message": "Invalid or expired API key"
}
Solutions:
  • Check key was copied correctly (no spaces)
  • Verify key hasn’t been regenerated
  • For guests, check expiry time
  • Login to retrieve current key

Key Not Working After Regeneration

Cause: Old key cached in application Solution: Clear environment variables and restart application

Guest Key Expired

{
  "success": false,
  "message": "Guest API key has expired"
}
Solutions:
  • Create new guest account (another 24 hours)
  • Register for permanent account (350 free credits)

Best Practices

  • Use environment variables
  • Never commit to git
  • Use password managers
  • Encrypt in production configs
  • Regenerate every 90 days
  • Immediately if compromised
  • Track creation dates
  • Different keys for dev/staging/prod
  • Separate accounts for team members
  • Use guest keys for local testing
  • Check login history regularly
  • Review API usage patterns
  • Set up alerts for unusual activity
  • Add extra security layer
  • Protect high-value accounts
  • Required for enterprise

Next Steps

MFA Setup

Enable multi-factor authentication

Security Practices

Learn security best practices

Quickstart

Make your first API call

Authentication Guide

Complete authentication documentation