Skip to main content
xChangeApi uses your account’s API keys to authenticate API requests, and if you don’t include a key or if the key is incorrect or outdated, an invalid request or authentication error will be raised. The Developers Dashboard can be used to create, reveal, and revoke secret API keys.
It’s important to safeguard your keys.
Your secret API key has the ability to perform any API call for your account. Here are some best practices to follow to ensure your keys are secure:
  • Only give access to those who require it.
  • Keep the key out of any version control system you may use.
  • Use a password manager or secrets management service to control key access.
  • Avoid embedding the secret API key in mobile applications or other locations where it can be accessed.

Create a new API key

To create a new API key in the Dashboard:
  1. Open the Keys page.
  2. Click New Key.
  3. Enter a name in Key name (or choose the one proposed by system).
  4. Click Generate Key.

Reveal an API key

To ensure security, the API key is displayed once. It’s important to store the key in a safe location to avoid losing it. If the key is lost, it can be revoked and a new key can be generated.

Revoke an API key

If your secret key has been compromised, the key should be revoked to prevent any unauthorized API requests. To generate a new key and revoke the old API secret key:
  1. Open the Keys page.
  2. Click the three dots icon next to the API key and choose the “Revoke” option.
  3. Enter the API key name in the text input field
  4. Click Revoke Key

Using your API key

When making API requests to our API, you can provide your API key in one of two ways:

API key as a header

Include the API key in the request header: 
GET /api/v1/endpoint HTTP/1.1
Host: api.xchangeapi.com
api-key: your_api_key_here

API key as a query parameter

Alternatively, you can include the API key as a query parameter: 
GET /api/v1/endpoint?api-key=your_api_key_here HTTP/1.1
Host: api.xchangeapi.com
Either method is acceptable, but using the header approach is recommended for security reasons, especially for POST requests, as query parameters may be logged in server access logs.