Boundless API uses API keys passed as Bearer tokens.
API Keys
Creating Keys
Dashboard → API Keys → Create Key
- Keys start with
sk- - Shown once at creation — store securely
- Name keys by environment:
prod-app,dev-local
Using Keys
Authorization: Bearer sk-your-api-key-here
Never expose keys in:
- Client-side JavaScript (browser)
- Public GitHub repos
- Mobile app binaries
Use a backend proxy for client-facing apps.
Multiple Keys
Create multiple keys per account:
| Feature | Description |
|---|---|
| Naming | Identify purpose per key |
| Revocation | Instant revoke without affecting other keys |
| Per-key spend limit | Cap spend per key |
| Per-key model allowlist | Restrict which models a key can call |
| Last used | See last request timestamp |
Rotating Keys
- Create new key
- Update your application config
- Verify traffic on new key
- Revoke old key
Zero-downtime rotation: run both keys briefly in parallel.
Key Compromise
If a key is leaked:
- Revoke immediately in Dashboard
- Create new key
- Review Activity log for unauthorized usage
- Email support@boundlessapi.com if fraudulent charges occurred
OAuth (Dashboard Only)
Google and GitHub OAuth are for dashboard login only, not API authentication.
Rate Limiting
Keys inherit account rate limits. See Rate Limits.