Search Documentation
Search across all documentation pages
Authentication

Authentication

Every request to the Transcodely API must include a valid API key. Keys are scoped to an App within your Organization and determine which resources you can access.

API Key Format

Transcodely API keys follow a prefixed format so they’re easy to recognize at a glance:

PrefixExample
ak_ak_AbCdEf1234567890GhIjKlMnOpQrStUv

Every key is scoped to a single App within your Organization and grants access to all resources in that app.

Sending Authenticated Requests

Include your API key in the Authorization header using the Bearer scheme:

curl -X POST https://api.transcodely.com/transcodely.v1.JobService/List 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{}'
import { Transcodely } from "transcodely";

// The SDK sends the Authorization: Bearer header for you.
const client = new Transcodely({ apiKey: process.env.TRANSCODELY_API_KEY! });

for await (const job of client.jobs.list({}).autoPage()) {
  console.log(job.id, job.status);
}
import os
from transcodely import Transcodely

# The SDK sends the Authorization: Bearer header for you.
with Transcodely(api_key=os.environ["TRANSCODELY_API_KEY"]) as client:
    for job in client.jobs.list().auto_paging_iter():
        print(job.id, job.status)
// The SDK sends the Authorization: Bearer header for you.
client, err := transcodely.New(os.Getenv("TRANSCODELY_API_KEY"))
if err != nil {
	log.Fatal(err)
}

iter := client.Jobs.List(ctx, &transcodely.JobListParams{})
for iter.Next() {
	job := iter.Current()
	fmt.Println(job.GetId(), job.GetStatus())
}
if err := iter.Err(); err != nil {
	log.Fatal(err)
}

All API requests use POST with Content-Type: application/json. The Transcodely API is built on Connect-RPC, so every endpoint follows the /{package}.{Service}/{Method} URL pattern.

Required Headers

HeaderValueRequired
AuthorizationBearer {{API_KEY}}Yes
Content-Typeapplication/jsonYes
Idempotency-KeyUnique string (max 128 chars)Optional

Creating API Keys

You can create API keys from the Transcodely dashboard or programmatically via the API:

curl -X POST https://api.transcodely.com/transcodely.v1.APIKeyService/Create 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{
    "name": "Production API Key",
    "description": "Used by the video pipeline service"
  }'
const created = await client.apiKeys.create({
  name: "Production API Key",
  description: "Used by the video pipeline service",
});
// created.secret holds the full key — returned only here. Store it now.
console.log(created.apiKey?.id, created.secret);
created = client.api_keys.create(
    name="Production API Key",
    description="Used by the video pipeline service",
)
# created.secret holds the full key — returned only here. Store it now.
print(created.api_key.id, created.secret)
created, err := client.APIKeys.Create(ctx, &transcodely.APIKeyCreateParams{
	Name:        "Production API Key",
	Description: "Used by the video pipeline service",
})
// created.PlainText holds the full key — returned only here. Store it now.
fmt.Println(created.Key.GetId(), created.PlainText)

The response includes the full secret exactly once. Store it securely — you cannot retrieve it again:

{
  "api_key": {
    "id": "ak_r4s5t6u7v8w9x0y1",
    "name": "Production API Key",
    "key_prefix": "ak_",
    "key_hint": "StUv",
    "created_at": "2026-02-28T10:30:00Z"
  },
  "secret": "ak_AbCdEf1234567890GhIjKlMnOpQrStUv"
}

Revoking Keys

If a key is compromised, revoke it immediately. Revoked keys cannot be used for authentication:

curl -X POST https://api.transcodely.com/transcodely.v1.APIKeyService/Revoke 
  -H "Authorization: Bearer {{API_KEY}}" 
  -H "Content-Type: application/json" 
  -d '{
    "id": "ak_r4s5t6u7v8w9x0y1",
    "reason": "Key exposed in public repository"
  }'
const apiKey = await client.apiKeys.revoke("ak_r4s5t6u7v8w9x0y1");
api_key = client.api_keys.revoke("ak_r4s5t6u7v8w9x0y1")
err := client.APIKeys.Revoke(ctx, "ak_r4s5t6u7v8w9x0y1")

Security Best Practices

  • Never embed keys in client-side code. API keys should only be used in server-side applications.
  • Rotate keys periodically. Create a new key, update your services, then revoke the old one.
  • Set expiration dates on keys that are used for temporary integrations or CI/CD pipelines.
  • Use separate keys per service. If one key is compromised, you only need to rotate that key.
  • Store keys in environment variables or a secrets manager — never in source code or configuration files committed to version control.

Error Responses

If authentication fails, the API returns a Connect-RPC unauthenticated error:

{
  "code": "unauthenticated",
  "message": "Invalid or missing API key"
}

Common causes:

ErrorCause
Missing Authorization headerNo API key provided in the request
Invalid key formatThe key does not start with ak_
Revoked keyThe key has been revoked and can no longer be used