Skip to main content
Xquik uses API key authentication for all developer-facing endpoints.

API Key Format

Keys follow this format: 
xq_YOUR_KEY_HERE
  • Prefix: xq_
  • Body: 64 hexadecimal characters
  • Storage: Hashed in database (raw key never stored)

Using your API key

Pass the key in the x-api-key header: 
curl https://xquik.com/api/v1/account \
  -H "x-api-key: xq_YOUR_KEY_HERE"

Auth methods by endpoint

Most endpoints support dual authentication: either an API key or a session cookie from the dashboard.
EndpointAPI KeySession Cookie
GET /accountYesNo
PATCH /accountYesYes
POST /api-keysNoYes
GET /api-keysNoYes
DELETE /api-keys/:idNoYes
* /monitors/*YesYes
GET /events/*YesYes
* /webhooks/*YesYes
GET /webhooks/:id/deliveriesYesYes
* /draws/*YesYes
* /extractions/*YesYes
* /x/*YesYes
POST /x/media/downloadYesYes
GET /trendsYesYes
PUT /account/x-identityYesYes
* /styles/*YesYes
* /drafts/*YesYes
POST /composeYesYes
GET /radarYesYes
POST /subscribeYesYes
* /integrations/*YesYes
* /x-accounts/*YesYes
* /x-write/*YesYes
* /support/*YesYes
API key management endpoints (/api-keys) require session authentication to prevent key self-management loops.
The MCP server also supports OAuth 2.1 with PKCE for browser-based clients (Claude.ai, ChatGPT Developer Mode). See OAuth 2.1 for the complete flow.

Machine Payments Protocol

16 X-API read-only endpoints also accept MPP payments instead of API key authentication. When you call an eligible endpoint without an API key or session cookie, the server returns a 402 payment challenge.

Challenge header

WWW-Authenticate: Payment id="...", realm="xquik.com", method="tempo", intent="charge", request="..."
ParameterDescription
idUnique challenge identifier
realmProtection space (xquik.com)
methodPayment method (tempo)
intentPayment intent (charge or session)
requestBase64url-encoded JSON with amount, currency, and recipient

Credential header

After completing the payment, retry the request with a payment credential: 
Authorization: Payment <base64url-encoded JSON>
The credential contains the original challenge parameters and a method-specific payload proving payment.

Receipt header

Successful responses include a receipt: 
Payment-Receipt: <base64url-encoded JSON>
The receipt confirms the payment was settled and includes a reference ID and timestamp.

Eligible endpoints

See the MPP overview for the full list of 16 endpoints, pricing, and intent types.
MPP only applies to X-API read-only endpoints. All other endpoints require an API key or session cookie.

Key management

Create a Key

Generate keys from the API Keys page in your dashboard or via the API (session auth only):
Create API Key
curl -X POST https://xquik.com/api/v1/api-keys \
  -H "Cookie: session_token=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production"}'
The full key (fullKey) is returned once in the creation response. Store it securely.

Revoke a Key

Revoke API Key
curl -X DELETE https://xquik.com/api/v1/api-keys/123 \
  -H "Cookie: session_token=YOUR_SESSION"
Revoked keys are deactivated immediately and cannot be reactivated.

Error response

Invalid or missing API key returns: 
{
  "error": "unauthenticated"
}
Status: 401 Unauthorized

Security best practices

Never hardcode API keys in your source code. Use environment variables to keep keys separate from your codebase:
.env
XQUIK_API_KEY=xq_YOUR_KEY_HERE
Access the key in your application:
const apiKey = process.env.XQUIK_API_KEY;
Add .env to your .gitignore to prevent accidental commits:
.gitignore
# Environment variables
.env
.env.local
.env.production
If a key is accidentally committed, revoke it immediately from your dashboard and generate a new one. Consider the exposed key compromised even if you force-push to remove it from history.
Rotate API keys periodically to limit the impact of a potential leak:
  1. Create a new key from the dashboard
  2. Update the key in all your environments
  3. Verify all services work with the new key
  4. Revoke the old key
Xquik supports multiple active keys, so you can rotate without downtime.
Create distinct API keys for each environment. This limits blast radius if a development key is compromised and makes it easier to track usage per environment:
.env.local
# Development
XQUIK_API_KEY=xq_dev_key_here
.env.production
# Production
XQUIK_API_KEY=xq_prod_key_here
Name your keys descriptively (e.g., “Production - Backend”, “Staging”, “Local Dev”) so you can identify them in the dashboard.
Next steps: Quickstart for a complete setup walkthrough, or OAuth Overview for OAuth 2.1 integration.