Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xquik.com/llms.txt

Use this file to discover all available pages before exploring further.

Xquik uses API key authentication for all developer-facing endpoints.

API Key Format

Keys follow this format: 
xq_YOUR_KEY_HERE
  • Prefix: xq_
  • Body: 64 hexadecimal characters
  • Storage: Hashed in database (raw key never stored)

Using your API key

Pass the key in the x-api-key header: 
curl https://xquik.com/api/v1/account \
  -H "x-api-key: xq_YOUR_KEY_HERE"

Auth methods by endpoint

Most endpoints support dual authentication: either an API key or a session cookie from the dashboard.

API key only

GET /account accepts x-api-key. Use it to check plan, monitor quota, and credit balance from server-side integrations.

Session cookie only

POST /api-keys, GET /api-keys, and DELETE /api-keys/{id} require a dashboard session cookie.

Account and billing

PATCH /account, PUT /account/x-identity, and POST /subscribe accept either x-api-key or a dashboard session cookie.

Events and webhooks

* /monitors/*, GET /events/*, * /webhooks/*, and GET /webhooks/{id}/deliveries accept either auth method.

Data and X actions

* /draws/*, * /extractions/*, * /x/*, POST /x/media/download, * /x-accounts/*, and * /x-write/* accept either auth method.

Content tools and support

GET /trends, GET /radar, * /styles/*, * /drafts/*, POST /compose, and * /support/* accept either auth method.
Use a dashboard session cookie to create the first API key. Existing API keys and OAuth bearer tokens can manage keys for the same account.
The MCP server also supports OAuth 2.1 with PKCE for browser-based clients (Claude.ai, ChatGPT Developer Mode). See OAuth 2.1 for the complete flow.

Machine Payments Protocol

31 X-API read-only endpoints also accept MPP payments instead of API key authentication. When you call an eligible endpoint without an API key or session cookie, the server returns a 402 payment challenge.

Challenge header

WWW-Authenticate: Payment id="...", realm="xquik.com", method="tempo", intent="charge", request="..."
ParameterDescription
idUnique challenge identifier
realmProtection space (xquik.com)
methodPayment method (tempo)
intentPayment intent (charge or session)
requestBase64url-encoded JSON with amount, currency, and recipient

Credential header

After completing the payment, retry the request with a payment credential: 
Authorization: Payment <base64url-encoded JSON>
The credential contains the original challenge parameters and a method-specific payload proving payment.

Receipt header

Settled responses include a receipt: 
Payment-Receipt: <base64url-encoded JSON>
The receipt confirms the payment was settled and includes a reference ID and timestamp. The header is attached only to successful 2xx responses for both charge and session intents. Error responses use the status code and response body without a receipt header.

Eligible endpoints

See the MPP overview for the full list of 31 endpoints, pricing, and intent types.
MPP only applies to eligible X-API read-only endpoints. Media downloads, private reads, write actions, and all other endpoints require an API key or session cookie.

Key management

Create a Key

Generate keys from the API Keys page in your dashboard or via the API (session auth only):
Create API Key
curl -X POST https://xquik.com/api/v1/api-keys \
  -H "Cookie: session_token=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production"}'
The full key (fullKey) is returned once in the creation response. Store it securely.

Revoke a Key

Revoke API Key
curl -X DELETE https://xquik.com/api/v1/api-keys/123 \
  -H "Cookie: session_token=YOUR_SESSION"
Revoked keys are deactivated immediately and cannot be reactivated.

Error response

Invalid or missing API key returns: 
{
  "error": "unauthenticated"
}
Status: 401 Unauthorized

Security best practices

Never hardcode API keys in your source code. Use environment variables to keep keys separate from your codebase:
.env
XQUIK_API_KEY=xq_YOUR_KEY_HERE
Access the key in your application:
const apiKey = process.env.XQUIK_API_KEY;
Add .env to your .gitignore to prevent accidental commits:
.gitignore
# Environment variables
.env
.env.local
.env.production
If a key is accidentally committed, revoke it immediately from your dashboard and generate a new one. Consider the exposed key compromised even if you force-push to remove it from history.
Rotate API keys periodically to limit the impact of a potential leak:
  1. Create a new key from the dashboard
  2. Update the key in all your environments
  3. Verify all services work with the new key
  4. Revoke the old key
Xquik supports multiple active keys, so you can rotate without downtime.
Create distinct API keys for each environment. This limits blast radius if a development key is compromised and makes it easier to track usage per environment:
.env.local
# Development
XQUIK_API_KEY=xq_dev_key_here
.env.production
# Production
XQUIK_API_KEY=xq_prod_key_here
Name your keys descriptively (e.g., “Production - Backend”, “Staging”, “Local Dev”) so you can identify them in the dashboard.
Next steps: Quickstart for a complete setup walkthrough, or OAuth Overview for OAuth 2.1 integration.
Last modified on May 17, 2026