csv-api
Log in Sign up
Back to Blog
Security March 3, 2026

Securing Your API: Authentication and API Key Management

Understand how API key authentication works and best practices for managing your keys.

How authentication works

Every API request to csv-api must be authenticated with an API key. This ensures only you (and the applications you authorize) can access your data.

API keys are tied to your user account, not to individual datasets. A single API key grants access to all of your datasets. You can create multiple keys to track usage across different applications or revoke access to one app without affecting others.

Creating an API key

  1. 1 Navigate to your Account page from the top navigation bar.
  2. 2 In the API Keys section, enter a descriptive name (e.g., "Production App", "Local Dev", "Partner Integration").
  3. 3 Click Create. Your key token will be displayed once.
  4. 4 Copy the token immediately and store it securely (e.g., in an environment variable or a secrets manager).

Your token is shown only once. csv-api stores a hashed version of the token for security. If you lose it, you'll need to create a new key.

Two ways to authenticate

You can pass your API key in two ways. The Authorization header is recommended for production use.

Option 1: Authorization header (recommended)

curl -H "Authorization: Bearer YOUR_API_KEY" \
  "https://csv-api.com/api/v1/datasets/YOUR_ID/records"

Option 2: Query parameter

curl "https://csv-api.com/api/v1/datasets/YOUR_ID/records?api_key=YOUR_API_KEY"

Avoid the query parameter in production. Query parameters can appear in server logs, browser history, and referrer headers. Use the Authorization header whenever possible.

Managing multiple keys

Create separate API keys for each application or environment. This lets you:

  • Revoke access granularly — if a key is compromised, revoke just that one without disrupting other apps.
  • Track usage — know which application is consuming API requests.
  • Rotate safely — create a new key, update your app, then revoke the old one with zero downtime.

Revoking a key

To revoke an API key, go to your Account page and click the Revoke button next to the key you want to disable. The key will stop working immediately — any requests using that key will receive a 401 Unauthorized response.

Rate limits

Rate limits are applied per user account (not per API key) on a 1-hour sliding window:

Plan Requests / Hour
Free 100
Pro 1,000
Enterprise 10,000

When you exceed your limit, the API returns 429 Too Many Requests. Wait for the window to reset or upgrade your plan for higher limits.

Security best practices

  • Store keys in environment variables, never in source code or version control.
  • Use the Authorization header instead of query parameters.
  • Rotate keys periodically and immediately if you suspect a leak.
  • Don't expose your API key in client-side JavaScript that ships to end users. Use a server-side proxy instead.
  • Use separate keys for development, staging, and production environments.
Previous

Sorting and Pagination: Navigating Large Datasets

 Next

Build a Live Dashboard with JavaScript and csv-api

We use essential cookies to keep you logged in. No tracking or analytics. Privacy policy