API Keys
API keys provide programmatic access to Petal services.
Subscription Required
API access requires a Standard or Advanced subscription.
What Are API Keys For?
API keys allow you to:
- Validate subscriptions programmatically
- Build integrations with your own software
- Access Petal services from scripts and applications
Generating an API Key
From the Website
- Sign in at petal.tech/account
- Navigate to API Keys
- Click Generate API Key
- Copy and securely store your key
From the Desktop App
- Open Petal Metrics
- Go to Settings → Account
- Scroll to API Key section
- Click Generate Key
- Copy and securely store your key
Save Your Key Immediately
For security, full API keys are only shown once. After you leave the page, only a prefix is displayed.
API Key Format
API keys follow this format:
petal_live_XXXXXXXXXXXXXXXXXXXXXXXX
- Prefix:
petal_live_indicates a production key - Suffix: 24 random characters (base64url encoded)
- Total length: 35 characters
Using Your API Key
Include your API key in the x-api-key header:
curl -X POST https://petal.tech/api/v1/metrics/api-key/validate \
-H "Content-Type: application/json" \
-d '{"api_key": "petal_live_your_key_here"}'
See the API Reference for available endpoints.
Key Security
Best Practices
- Never commit API keys to version control
- Use environment variables to store keys in your code
- Rotate keys periodically
- Revoke compromised keys immediately
Environment Variables
# Set environment variable
export PETAL_API_KEY="petal_live_your_key_here"
# Use in Python
import os
api_key = os.environ.get('PETAL_API_KEY')
// Use in Node.js
const apiKey = process.env.PETAL_API_KEY;
Regenerating Your Key
If your key is compromised or you want to rotate it:
- Go to petal.tech/account/api-keys
- Click Regenerate Key
- Confirm the action
- Update your applications with the new key
warning
Regenerating invalidates your old key immediately. Update all applications before regenerating.
Rate Limits
API requests are rate limited:
| Endpoint | Limit |
|---|---|
/api/v1/metrics/api-key/validate | 120 requests/minute |
/api/v1/license/* | 30 requests/minute |
/api/v1/auth/login | 5 requests/minute |
/api/v1/auth/signup | 3 requests/minute |
| Other endpoints | 60 requests/minute |
If you exceed the limit, you'll receive a 429 Too Many Requests response with Retry-After header.
Troubleshooting
"Invalid API key" (INVALID_API_KEY)
- Verify the key is correct (no extra spaces)
- Ensure you're using the full key, not just the prefix
- Check that your subscription includes API access
- If you're a legacy customer, contact support@petal.tech
"Subscription has expired" (SUBSCRIPTION_EXPIRED)
- Your grandfathered API access period has ended
- Purchase a Standard or Advanced plan at petal.tech/pricing
- Your existing API key will work again once your subscription is active
- See the Migration Guide for more details
"Subscription inactive" (SUBSCRIPTION_INACTIVE)
- Your account exists but you don't have an active subscription
- Purchase a plan at petal.tech/pricing
"API access disabled" (API_ACCESS_DISABLED)
- API access requires Standard or Advanced plan
- Upgrade at petal.tech/account
"Rate limit exceeded"
- Wait before making more requests
- Implement backoff in your application
- Cache responses where possible