Authentication
How AiSpendTrack identifies and authenticates your API calls.
Overview
AiSpendTrack uses API key authentication. Every request to our proxy must include your unique API key in the headers.
Getting Your API Key
- Sign in to app.aispendtrack.com
- Click your profile icon → Settings
- Copy your AiSpendTrack API Key
Your key format: ask_ followed by 32 random characters.
Example: ask_abc123def456ghi789jkl012mno345pq
Using Your API Key
Include your key in the x-aispendtrack-key header:
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY,
baseURL: "https://proxy.aispendtrack.com/v1",
defaultHeaders: {
"x-aispendtrack-key": process.env.AISPENDTRACK_API_KEY
}
});Security: Never hardcode your API key. Always use environment variables.
Key Security
Do’s ✅
- Store in environment variables (
.envfile) - Add
.envto.gitignore - Use separate keys for dev/staging/production
- Rotate keys if compromised
- Keep keys out of client-side code
Don’ts ❌
- Don’t commit keys to version control
- Don’t share keys in Slack/email
- Don’t log keys in application logs
- Don’t expose keys in frontend code
- Don’t reuse keys across projects
Rotating Your API Key
If your key is compromised:
- Go to Settings in dashboard
- Click Rotate API Key
- Copy your new key
- Update your environment variables
- Old key remains valid for 24 hours (grace period)
- Deploy new key to production
Grace period: Your old key works for 24 hours after rotation, giving you time to update production without downtime.
Multiple API Keys
Need separate keys for different environments?
Free tier: 1 key per account
Pro tier: Up to 5 keys per account
Enterprise: Unlimited keys
Use cases for multiple keys:
- Separate dev/staging/production environments
- Different teams or projects
- Testing and monitoring
To create additional keys (Pro+):
- Go to Settings → API Keys
- Click Create New Key
- Name your key (e.g., “Production”, “Staging”)
- Copy and store securely
Authentication Errors
401 Unauthorized
Cause: Missing or invalid API key
Solutions:
- Verify header name is exactly
x-aispendtrack-key - Check key starts with
ask_ - Ensure key is in environment variables
- Try rotating your key
429 Too Many Requests
Cause: Rate limit exceeded or monthly limit hit
Solutions:
- Free tier: Wait until next month or upgrade
- Rate limit: Wait for
retry-afterseconds - Check dashboard for current usage
API Key Permissions
Each API key has these permissions:
| Permission | Free | Pro | Enterprise |
|---|---|---|---|
| Make API calls | ✅ | ✅ | ✅ |
| View dashboard | ✅ | ✅ | ✅ |
| Export data | ❌ | ✅ | ✅ |
| Team access | ❌ | ✅ | ✅ |
| Webhooks | ❌ | ✅ | ✅ |
| API access | ❌ | ✅ | ✅ |
Rate Limits
To prevent abuse, we enforce rate limits:
| Tier | Limit | Scope |
|---|---|---|
| Free | 1,000 requests/hour | Per API key |
| Pro | 10,000 requests/hour | Per API key |
| Enterprise | Custom | Custom |
When you hit a rate limit:
- Response:
429 Too Many Requests - Header:
retry-after(seconds to wait) - Your request is not sent to OpenAI/Anthropic
Rate limits are separate from your monthly call limit (10,000 for free tier).
Best Practices
- Environment variables: Always use env vars, never hardcode
- Separate keys: Use different keys for dev/prod
- Monitor usage: Check dashboard regularly
- Rotate periodically: Rotate keys every 90 days
- Least privilege: Create separate keys with minimal permissions
Example: Secure Setup
// ❌ BAD: Hardcoded key
const openai = new OpenAI({
apiKey: "sk-...",
baseURL: "https://proxy.aispendtrack.com/v1",
defaultHeaders: {
"x-aispendtrack-key": "ask_abc123..." // Never do this!
}
});
// ✅ GOOD: Environment variables
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY,
baseURL: "https://proxy.aispendtrack.com/v1",
defaultHeaders: {
"x-aispendtrack-key": process.env.AISPENDTRACK_API_KEY
}
});Questions?
- 📧 support@aispendtrack.com
- 💬 Live chat in dashboard