Skip to main content
Xquik uses API key authentication for all developer-facing endpoints.

API Key Format

Keys follow this format: 
xq_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
  • Prefix: xq_
  • Body: 64 hexadecimal characters
  • Storage: SHA-256 hashed in database (raw key never stored)

Using Your API Key

Pass the key in the x-api-key header: 
curl https://xquik.com/api/v1/account \
  -H "x-api-key: xq_YOUR_KEY_HERE"

Auth Methods by Endpoint

Most endpoints support dual authentication: either an API key or a session cookie from the dashboard.
EndpointAPI KeySession Cookie
GET /accountYesNo
PATCH /accountNoYes
POST /api-keysNoYes
GET /api-keysNoYes
DELETE /api-keys/:idNoYes
* /monitors/*YesYes
GET /events/*YesNo
* /webhooks/*YesYes
GET /webhooks/:id/deliveriesYesNo
API key management endpoints (/api-keys) require session authentication to prevent key self-management loops.

Key Management

Create a Key

Generate keys from the API Keys page in your dashboard or via the API (session auth only): 
curl -X POST https://xquik.com/api/v1/api-keys \
  -H "Cookie: session=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production"}'
The full key (fullKey) is returned once in the creation response. Store it securely.

Revoke a Key

curl -X DELETE https://xquik.com/api/v1/api-keys/123 \
  -H "Cookie: session=YOUR_SESSION"
Revoked keys are deactivated immediately and cannot be reactivated.

Error Response

Invalid or missing API key returns: 
{
  "error": "unauthenticated"
}
Status: 401 Unauthorized

Security Best Practices

Never hardcode API keys in your source code. Use environment variables to keep keys separate from your codebase:
.env
XQUIK_API_KEY=xq_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Access the key in your application:
const apiKey = process.env.XQUIK_API_KEY;
Add .env to your .gitignore to prevent accidental commits:
.gitignore
# Environment variables
.env
.env.local
.env.production
If a key is accidentally committed, revoke it immediately from your dashboard and generate a new one. Consider the exposed key compromised even if you force-push to remove it from history.
Rotate API keys periodically to limit the impact of a potential leak:
  1. Create a new key from the dashboard
  2. Update the key in all your environments
  3. Verify all services work with the new key
  4. Revoke the old key
Xquik supports multiple active keys, so you can rotate without downtime.
Create distinct API keys for each environment. This limits blast radius if a development key is compromised and makes it easier to track usage per environment:
.env.local
# Development
XQUIK_API_KEY=xq_dev_key_here
.env.production
# Production
XQUIK_API_KEY=xq_prod_key_here
Name your keys descriptively (e.g., “Production - Backend”, “Staging”, “Local Dev”) so you can identify them in the dashboard.