Aforo uses two classes of API keys, distinguished by their prefix. The prefix is machine-readable — SDKs and gateway plugins automatically select the correct ingest endpoint based on which key type is present.
Prefix
Environment
Billing
Ingest Endpoint
Use For
sk_test_
Sandbox
No charges
ingest-sandbox.aforo.ai
Local dev, CI, integration tests
sk_live_
Production
Real billing
ingest.aforo.ai
Production deployments only
WARNING
Never use a production key (sk_live_) in a development or CI environment. Every event sent with a live key is metered and billed to your customers. Use sandbox keys for all non-production workloads.
Key Structure
Each key is a 48-character opaque token. The prefix encodes the environment; the remaining 40 characters are a cryptographically random identifier. Keys are stored as a SHA-256 hash — Aforo cannot retrieve the plaintext after initial creation.
API keys are created in the Aforo Admin Panel. Each key is scoped to a product and can optionally be restricted to specific IP ranges or rate limits.
1
Open Admin Panel
Sign in to Aforo → Admin Panel (bottom of sidebar) → API Keys tab
2
Click "Create API Key"
Choose the environment (Sandbox or Production), enter a descriptive name, and select the product scope
3
Copy the key immediately
The plaintext key is shown exactly once. Copy it to your secrets manager now — it cannot be retrieved again
4
Store in your secrets manager
AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or .env for local development only
INFO
Keys created in the Admin Panel are tied to the account that created them. If a team member leaves, rotate their keys rather than deleting the account — deletion is irreversible and removes the audit trail.
All Aforo APIs authenticate via the standard Authorization HTTP header using the Bearer scheme. There is no session, no cookie, and no token exchange — every request carries the key directly.
When using any Aforo SDK, pass the key at initialization time. The SDK injects the Authorization header on every outbound request automatically.
Node.js SDK
import { AforoClient } from '@aforo/metering';
const aforo = new AforoClient({
apiKey: process.env.AFORO_API_KEY!, // Never hardcode — always read from env
});
Python SDK
from aforo_metering import AforoClient
import os
aforo = AforoClient(
api_key=os.environ["AFORO_API_KEY"] # Never hardcode
)
PRO TIP
All Aforo SDKs read AFORO_API_KEY from the environment automatically if you omit the apiKey option at initialization. This is the recommended pattern for containerized deployments.
Aforo supports zero-downtime key rotation via a grace period model. The old key and the new key are both valid simultaneously for 300 seconds (5 minutes), giving you time to deploy the new key to all running instances before the old one is revoked.
Rotation procedure
# Step 1: Create the new key via API (or Admin Panel)
curl -X POST https://api.aforo.ai/api/v1/api-keys \
-H "Authorization: Bearer sk_live_OLD_KEY" \
-H "Content-Type: application/json" \
-d '{ "name": "prod-key-v2", "environment": "live" }'
# Response includes the new key:
# { "key": "sk_live_NEW_KEY_HERE", "id": "key_xyz789" }
# Step 2: Update AFORO_API_KEY in your secrets manager with sk_live_NEW_KEY_HERE
# Step 3: Roll out the deployment (all instances pick up the new key)
# Step 4: After 5+ minutes, revoke the old key
curl -X DELETE https://api.aforo.ai/api/v1/api-keys/key_OLD_ID \
-H "Authorization: Bearer sk_live_NEW_KEY_HERE"
INFO
During the 300-second grace period, events sent with either the old or new key are accepted and rated identically. There is no gap in metering coverage during rotation.
Automated Rotation (recommended for production)
For production deployments, set up automated rotation via your cloud provider's secrets manager. AWS Secrets Manager and GCP Secret Manager both support rotation Lambdas that call the Aforo API. Contact your Aforo account team for rotation Lambda templates.
API keys are long-lived credentials. Follow these practices to minimise exposure in the event a key is compromised.
Never commit keys to source control
Use .env files (gitignored) locally. Use your CI provider's secret store for pipelines. Pre-commit hooks like git-secrets or truffleHog catch accidental commits.
Use separate keys per environment
One sk_test_ key for development, one for CI, one sk_live_ key for production. Never share keys between environments or team members.
Rotate on team member departure
If a team member with key access leaves, rotate all keys they had access to within 24 hours. The Admin Panel shows last-used timestamps to identify active keys.
Monitor key usage anomalies
Enable key usage alerts in Admin Panel → API Keys → Alerts. Get notified if a key fires more than N events per minute or is called from an unexpected IP range.
Revoke unused keys immediately
The Admin Panel shows last-used timestamps. Any key unused for 90+ days should be revoked. Dormant keys are a liability — they can be compromised without triggering usage alerts.
WARNING
If you suspect a key has been compromised, revoke it immediately from Admin Panel → API Keys, then create a new one. Revocation is instant — there is no grace period on a manually-revoked key.