CanalAPI
User Guide

API Keys

Create, rotate, and revoke CanalAPI API keys.

API keys authenticate every request to CanalAPI. Each key belongs to a single account and can be revoked independently.

Create a key

  1. Open the console and go to API Keys.
  2. Click Create new key.
  3. Set a recognizable name and (optionally) a description.
  4. Click Create. Copy the key immediately — the full secret is shown only once.

Rotate a key

A best practice is to rotate keys periodically, or whenever a key may have been exposed.

  1. Create a new key.
  2. Update your application to use the new key.
  3. After traffic has fully migrated, revoke the old key.

Revoke a key

  1. Open API Keys.
  2. Find the key you want to revoke and click Revoke.
  3. Confirm. Requests using the revoked key will start returning 401 Unauthorized immediately.

Best practices

  • One purpose per key. Use separate keys per service, environment, or CI job. Revoking is then surgical.
  • Server-side only. Never embed a key in browser JavaScript or in a mobile application. Use a backend proxy.
  • Use secret managers. Inject the key via your platform's secret manager (Vercel/Railway env vars, AWS Secrets Manager, Doppler, etc.).
  • Monitor usage. Check the Usage Logs regularly for unexpected spikes.

If a key is leaked, revoke it immediately and review your usage logs for unauthorized activity.

Account

Sign up, sign in, manage your profile and security settings.

Billing

Top up your balance, view invoices, and understand how usage is priced.

On this page

Create a keyRotate a keyRevoke a keyBest practices