Authentication
API keys, tokens, and auth flows
Secure access to the CodePlanet API.
API Keys
API keys are used to authenticate programmatic requests.
Getting Your Key
- Go to Settings → API Keys
- Click Generate New Key
- Copy and save securely
⚠️ Keys are shown once. Store them safely!
Using Your Key
Include in the Authorization header:
Key Permissions
API keys have full access to:
- Your profile data
- Your progress
- Problem data
- Leaderboard
They cannot:
- Change your password
- Delete your account
- Access other users' private data
Session Authentication
For browser-based apps, use session cookies:
OAuth
We're working on OAuth support for third-party apps:
- Authorization Code flow
- PKCE support
- Scoped permissions
Security Best Practices
Do's ✅
- Store keys in environment variables
- Use HTTPS always
- Rotate keys periodically
- Use minimal permissions
Don'ts ❌
- Commit keys to git
- Share keys publicly
- Use keys in frontend code
- Log keys in errors
Revoking Keys
If a key is compromised:
- Go to Settings → API Keys
- Find the key
- Click Revoke
- Generate a new key
Revoked keys stop working immediately.
Rate Limiting
API keys are subject to rate limits:
| Plan | Limit |
|---|---|
| Free | 100/day |
| Developer | 1,000/day |
| Pro | 10,000/day |
See Rate Limits for details.
Error Codes
| Code | Status | Meaning |
|---|---|---|
UNAUTHORIZED | 401 | Missing or invalid key |
FORBIDDEN | 403 | Key lacks permission |
RATE_LIMITED | 429 | Too many requests |
Webhook Authentication (Planned)
For webhooks, we'll provide:
- Signature verification
- Timestamp validation
- Retry handling
Generate your key: API Keys