Skip to main content
PromptGuard uses API keys to authenticate requests. Your API key carries many privileges, so be sure to keep it secure!

Creating API Keys

  1. Log in to app.promptguard.co
  2. Select your project
  3. Navigate to Projects → API Keys
  4. Click Create API Key
  5. Name your key (e.g., “Production App”, “Development”)
  6. Copy the key immediately - it won’t be shown again
Store your API key securely! Once you navigate away, you won’t be able to see the full key again.

Using API Keys

In Headers

Include your PromptGuard API key in the X-API-Key header: 
X-API-Key: your_api_key_here
For direct API calls (not using SDKs), you’ll also need your LLM provider key in the Authorization header: 
X-API-Key: your_api_key_here
Authorization: Bearer sk_your_openai_key_here

Environment Variables

Store your API key in environment variables, not in your code: 
# Never commit this file to version control
PROMPTGUARD_API_KEY=your_api_key_here

API Key Scope

API keys are scoped to specific projects. Each key provides access to:
  • Make AI requests through the proxy endpoint (/api/v1/chat/completions, etc.)
  • View usage and analytics for the associated project
  • Inherit project security settings (presets and custom policies)
Create separate API keys for different environments (development, staging, production) by creating separate projects for each environment.

Key Management

Listing Keys

View all your API keys at app.promptguard.co → Projects → API Keys.

Rotating Keys

Rotate your API keys every 90 days:
  1. Create a new API key
  2. Update your applications to use the new key
  3. Test thoroughly
  4. Delete the old key

Deleting Keys

Delete keys at app.promptguard.co → Projects → API Keys → select a key → Delete.

Best Practices

✅ Do

  • Use environment variables — never hardcode keys in source
  • Separate environments — create distinct projects for dev, staging, and production
  • Rotate every 90 days — create a new key, migrate, then delete the old one
  • Monitor usage — check your dashboard regularly for unusual activity
  • Delete unused keys immediately

❌ Don’t

  • Commit keys to version control (add .env to .gitignore)
  • Share keys between team members (each member should use their own)
  • Use production keys in development
  • Log API keys in application output
  • Embed keys in client-side code

Environment Setup

Use separate projects and keys per environment: 
PROMPTGUARD_API_KEY=pg_sk_test_your_dev_key
Create a separate PromptGuard project for each environment. Each project gets its own API keys, usage tracking, and security policies.

Rate Limits

API keys are subject to monthly usage limits based on your subscription plan:
PlanMonthly LimitType
Free10,000 requestsHard limit (blocks when exceeded)
Pro100,000 requestsHard limit (blocks when exceeded)
Scale1,000,000 requestsSoft limit (alerts only, never blocks)
Infrastructure Rate Limiting: Cloud Armor enforces 100 requests per minute per IP address at the infrastructure level. This is separate from your monthly subscription limits.Monthly limits are per user account (across all API keys). For higher limits, contact sales@promptguard.co.

Troubleshooting

Having issues with authentication? See our troubleshooting guide for common solutions.

Rate Limited Error

{
  "error": {
    "message": "Rate limit exceeded",
    "type": "rate_limit_error",
    "code": "too_many_requests"
  }
}
How to fix this:
  1. Implement exponential backoff in your code to retry requests with increasing delays: 
    // Example: Wait 1s, then 2s, then 4s before retrying
const delay = Math.pow(2, retryCount) * 1000;
await new Promise(resolve => setTimeout(resolve, delay));
  2. Distribute requests across multiple API keys to stay within per-key limits
  3. Check your current usage in the dashboard to see how close you are to your limits
  4. Upgrade your plan if you consistently hit rate limits:

Next Steps

Make Your First Request

Test your API key with a simple request

Integration Guides

Language-specific setup instructions

Security Rules

Configure protection for your use case

Usage Monitoring

Track API usage and security events