API Keys
Every request to the Check Harbor validation API (/v1/...) must include your API key in the X-Api-Key header.
curl https://api.checkharbor.com/v1/ping \
-H "X-Api-Key: chk_live_YOUR_KEY"
Warning
Never expose your API key client-side (in browser JavaScript or mobile apps). Always call the Check Harbor API from your backend.
Managing keys
Keys are managed in the Check Harbor Console:
- Create a key with a friendly name
- Rotate — get a new key value; the old one is immediately invalidated
- Delete — permanently revoke a key
A newly created key is only shown once at creation time. Store it securely (e.g., environment variable).
Key format
chk_live_xxxxxxxxxxxxxxxxxxxxxxxx
Security best practices
| Practice | Details |
|---|---|
| Environment variables | Store as CHECKHARBOR_API_KEY, never hardcode |
| One key per environment | Separate keys for dev, staging, prod |
| Rotate regularly | Use the rotate endpoint when a key may be compromised |
| Monitor usage | Watch the Console dashboard for unexpected spikes |
Error: invalid key
If your key is missing or invalid:
{
"error": {
"code": "unauthorized",
"message": "Invalid or missing API key"
}
}
HTTP status: 401