Authentication
QuantStream uses API keys for all authenticated endpoints. Keys are bound to your account and can be revoked at any time.
Header formats
Two equivalent headers are supported — pick whichever is easier in your stack:
http
Authorization: Bearer ak_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxhttp
x-api-key: ak_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBoth map to the same guard — there's no difference in tier, rate limit, or capability.
Key format
Every key looks like ak_live_<32 random chars>. Only the prefix (ak_live_ plus the
first few characters) is stored in plaintext and shown in the dashboard; the rest is
hashed with argon2. We cannot recover a lost key — you have to revoke and create a new one.
Rate limits
| Tier | Requests / minute | Notes |
|---|---|---|
| FREE | 60 | Default tier |
| PRO | 600 | Contact us |
When you exceed the limit you'll get 429 Too Many Requests with a Retry-After
header (seconds). Back off for that duration before retrying.
Errors
| Status | Meaning |
|---|---|
| 401 | Missing, malformed, or revoked key |
| 403 | Key is valid but doesn't have access to this route |
| 429 | Rate limit exceeded — honor Retry-After |
Security recommendations
- Never embed keys in a browser bundle. API keys identify you, not an end user — a leaked key means somebody else can consume your quota.
- Rotate on suspicion. If a key may have leaked (public repo, shared log), revoke it from Settings and create a new one. Takes seconds.
- One key per integration. Gives you surgical revocation if one integration is compromised without taking down the others.