API Key format
All API keys have the prefixgex_sk_ followed by 32 URL-safe characters:
Sending the key
Include the key in theX-API-Key HTTP header on every request:
The API also accepts
Authorization: Bearer <jwt> for browser-based dashboard
testing, but API keys are the recommended method for bots and scripts.Tiers and quotas
| Tier | Price | Daily quota | Max keys |
|---|---|---|---|
trial | Free (14 days) | 50 req/day | 1 |
pro | €35/month | 500 req/day | 5 |
admin | — | Unlimited | Unlimited |
premium tier (€15/month) has no API access — it’s dashboard-only.
Upgrade to Pro for API access.
Tier information in responses
The authenticated tier isn’t returned in the response body, but you can infer your quota from theX-RateLimit-Limit header.
Managing keys
Create a key
- Log in to gammaflip.io/account
- Open menu → API Keys → Create API Key
- Enter a description (e.g., “Production Lambda”, “Local dev bot”)
- Copy the key immediately — it won’t be shown again
List your keys
The UI shows only the key prefix (first 12 chars) — useful for identifying keys without exposing secrets.Revoke a key
In the API Keys modal, click the trash icon next to any key. Revocation is instant — any request using that key will start returning401.
Security best practices
- Never commit keys to git. Use environment variables or a secrets manager.
- Create separate keys for each environment (dev, staging, prod) so you can rotate independently.
- Revoke keys that haven’t been used in 90 days (check
last_used_atin the UI). - Store keys server-side only. Never ship keys to browsers, mobile apps, or any client-side code — they’ll be extracted.
- Rotate keys periodically, especially after team member changes.
What if my key is compromised?
- Revoke it immediately at gammaflip.io/account
- Create a new key
- Update your clients
- If you suspect misuse, email admin@gammaflip.io