Get started
Authentication
Every request is authenticated with an API key, sent as the x-api-key header.
Your API key. Sent on every request except the public docs endpoints.
Keys & plans
Each key is tied to a plan that defines what it can access — which views, colors, formats, sizes and features are available, and how fallbacks behave. A request without a key returns 401; a request outside your plan returns 403.
Best practices
Keep keys out of public client-side code where possible, use a separate key per environment, and rotate them regularly. If a key is exposed, revoke it and create a new one.
