Search Documentation
Search across all documentation pages
API Keys

API Keys

API keys are the primary authentication mechanism for the Transcodely API. Each key is scoped to a single App and grants access to all resources within that app. Every key carries an ak_ prefix, and its full secret is shown only once — at creation.

Creating an API Key

Create a key with a human-readable name and an optional description. The response includes the full secret exactly once — capture it immediately, because only the key_prefix and key_hint are retrievable afterward.

curl -X POST https://api.transcodely.com/transcodely.v1.APIKeyService/Create 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{
    "name": "Production Server",
    "description": "Backend API key for video uploads"
  }'
const created = await client.apiKeys.create({
  name: "Production Server",
  description: "Backend API key for video uploads",
});
// created.secret holds the full key — returned only here. Store it now.
console.log(created.apiKey?.id, created.secret);
created = client.api_keys.create(
    name="Production Server",
    description="Backend API key for video uploads",
)
# created.secret holds the full key — returned only here. Store it now.
print(created.api_key.id, created.secret)
created, err := client.APIKeys.Create(ctx, &transcodely.APIKeyCreateParams{
	Name:        "Production Server",
	Description: "Backend API key for video uploads",
})
// created.PlainText holds the full key — returned only here. Store it now.
fmt.Println(created.Key.GetId(), created.PlainText)
{
  "api_key": {
    "id": "ak_a1b2c3d4e5f6g7h8",
    "name": "Production Server",
    "description": "Backend API key for video uploads",
    "key_prefix": "ak_x9y8z",
    "key_hint": "l5k4",
    "scopes": [],
    "is_revoked": false,
    "created_at": "2026-01-15T10:30:00Z"
  },
  "secret": "ak_x9y8z7w6v5u4t3s2r1q0p9o8n7m6l5k4"
}

Important: The full API key secret is only returned once at creation. Store it securely — you cannot retrieve it again. If you lose it, revoke the key and create a new one.

Using API Keys

Pass your API key as a Bearer token in the Authorization header. The official SDKs take the key as an explicit constructor argument; the conventional environment variable is TRANSCODELY_API_KEY — load it once at startup and pass it in:

curl -X POST https://api.transcodely.com/transcodely.v1.JobService/Create 
  -H "Authorization: Bearer $TRANSCODELY_API_KEY" 
  -H "Content-Type: application/json" 
  -d '{ ... }'
const client = new Transcodely({ apiKey: process.env.TRANSCODELY_API_KEY! });
client = Transcodely(api_key=os.environ["TRANSCODELY_API_KEY"])
client, err := transcodely.New(os.Getenv("TRANSCODELY_API_KEY"))

The API key determines which app the request is scoped to. All resources created with a key belong to that key’s app.

Key Identification

After creation, the full secret is never returned again. Instead, two safe-to-display fields are available for identification:

FieldExamplePurpose
key_prefixak_x9y8zFirst 8 characters of the secret — a per-key value, not a constant scheme tag
key_hintl5k4Last 4 characters for support lookups

These fields are safe to display in logs, dashboards, and admin interfaces.

Expiration

API keys can optionally be created with an expiration time:

curl -X POST https://api.transcodely.com/transcodely.v1.APIKeyService/Create 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{
    "name": "CI/CD Pipeline Key",
    "expires_at": "2026-06-01T00:00:00Z"
  }'
const created = await client.apiKeys.create({
  name: "CI/CD Pipeline Key",
  expiresAt: Timestamp.fromDate(new Date("2026-06-01T00:00:00Z")),
});
created = client.api_keys.create(
    name="CI/CD Pipeline Key",
    expires_at="2026-06-01T00:00:00Z",
)
created, err := client.APIKeys.Create(ctx, &transcodely.APIKeyCreateParams{
	Name:      "CI/CD Pipeline Key",
	ExpiresAt: timestamppb.New(time.Date(2026, 6, 1, 0, 0, 0, 0, time.UTC)),
})

Keys without an expires_at never expire. Expired keys are automatically rejected at authentication time.

Revoking Keys

Revoke a key immediately when it is compromised or no longer needed:

curl -X POST https://api.transcodely.com/transcodely.v1.APIKeyService/Revoke 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{
    "id": "ak_a1b2c3d4e5f6g7h8",
    "reason": "Key exposed in public repository"
  }'
const apiKey = await client.apiKeys.revoke("ak_a1b2c3d4e5f6g7h8");
api_key = client.api_keys.revoke("ak_a1b2c3d4e5f6g7h8")
err := client.APIKeys.Revoke(ctx, "ak_a1b2c3d4e5f6g7h8")

Revocation is immediate and irreversible. Any in-flight requests using the revoked key will fail with a 401 Unauthenticated error.

Listing Keys

List the keys for the current app, optionally including revoked ones. Results are paginated, and the SDKs auto-page so you can iterate every key without handling tokens yourself.

curl -X POST https://api.transcodely.com/transcodely.v1.APIKeyService/List 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{
    "include_revoked": false,
    "pagination": { "limit": 20 }
  }'
for await (const apiKey of client.apiKeys.list({
  includeRevoked: false,
  pagination: { limit: 20 },
}).autoPage()) {
  console.log(apiKey.id, apiKey.keyHint);
}
for api_key in client.api_keys.list(limit=20).auto_paging_iter():
    print(api_key.id, api_key.key_hint)
iter := client.APIKeys.List(ctx, &transcodely.APIKeyListParams{
	IncludeRevoked: false,
	Pagination:     &transcodely.PaginationRequest{Limit: 20},
})
for iter.Next() {
	apiKey := iter.Current()
	fmt.Println(apiKey.GetId(), apiKey.GetKeyHint())
}
if err := iter.Err(); err != nil {
	log.Fatal(err)
}

Each key in the response includes a last_used_at timestamp, which is useful for identifying stale keys that should be cleaned up.

Security Best Practices

  1. Never commit keys to version control. Use environment variables or a secrets manager.
  2. Rotate keys periodically. Create a new key, update your systems, then revoke the old one.
  3. Set expiration dates on keys used for temporary access (CI/CD, contractors, demos).
  4. Use descriptive names so you can identify what each key is used for.
  5. Monitor last_used_at to find and revoke unused keys.
  6. Revoke immediately if a key is exposed. There is no “undo” — create a new key instead.