Skip to main content
PromptGuard uses API keys to authenticate requests. Your API key carries many privileges, so be sure to keep it secure!

API Key Format

PromptGuard API keys follow this format: pg_live_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxx
  • pg_ - PromptGuard prefix
  • live_ - Environment (live for production, test for development)
  • 8 characters - Key identifier
  • 24 characters - Secret portion

Creating API Keys

  1. Log in to app.promptguard.co
  2. Select your project
  3. Navigate to Settings > API Keys
  4. Click Create API Key
  5. Name your key (e.g., “Production App”, “Development”)
  6. Set permissions (read, write, admin)
  7. Copy the key immediately - it won’t be shown again
Store your API key securely! Once you navigate away, you won’t be able to see the full key again.

Via Dashboard API

You can also create API keys programmatically using the dashboard API (requires session authentication): 
curl https://api.promptguard.co/dashboard/api-keys \\
  -H "Cookie: session=YOUR_SESSION_COOKIE" \\
  -H "Content-Type: application/json" \\
  -d '{
    "name": "My New Key",
    "project_id": "your-project-id"
  }'

Using API Keys

In Headers

Include your PromptGuard API key in the X-API-Key header: 
X-API-Key: pg_live_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxx
For direct API calls (not using SDKs), you’ll also need your LLM provider key in the Authorization header: 
X-API-Key: pg_live_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxx
Authorization: Bearer sk_your_openai_key_here

Environment Variables

Store your API key in environment variables, not in your code: 
# Never commit this file to version control
PROMPTGUARD_API_KEY=pg_live_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxx

API Key Scope

API keys are scoped to specific projects. Each key provides access to:
  • Make AI requests through the proxy endpoint (/api/v1/chat/completions, etc.)
  • View usage and analytics for the associated project
  • Inherit project security settings (presets and custom policies)
Create separate API keys for different environments (development, staging, production) by creating separate projects for each environment.

Key Management Best Practices

  • One key per environment: Use different projects and keys for dev/staging/prod
  • Rotate regularly: Create new keys and delete old ones every 90 days
  • Monitor usage: Check dashboard regularly for unusual activity
  • Store securely: Never commit keys to version control

Key Management

Listing Keys

View all your API keys via the dashboard: 
# Dashboard API requires session authentication
curl https://api.promptguard.co/dashboard/api-keys \\
  -H "Cookie: session=YOUR_SESSION_COOKIE"

Rotating Keys

Regularly rotate your API keys for security:
  1. Create a new API key
  2. Update your applications to use the new key
  3. Test thoroughly
  4. Delete the old key

Deleting Keys

# Dashboard API requires session authentication
curl -X DELETE https://api.promptguard.co/dashboard/api-keys/KEY_ID \\
  -H "Cookie: session=YOUR_SESSION_COOKIE"

Security Best Practices

✅ Do

  • Use environment variables for API keys
  • Rotate keys regularly (every 90 days)
  • Use separate keys for different environments
  • Grant minimal permissions required
  • Monitor key usage in the dashboard
  • Delete unused keys immediately

❌ Don’t

  • Never commit keys to version control
  • Don’t share keys between team members
  • Don’t use production keys in development
  • Don’t log API keys in application logs
  • Don’t embed keys in client-side code

Development vs Production

Use separate API keys for different environments: 
PROMPTGUARD_API_KEY=pg_test_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxx

Rate Limits

API keys are subject to rate limits based on your plan:
PlanRequests/MinuteBurst
Free100200
Starter100200
Growth1,0002,000
Rate limits are per API key, not per project. Distribute load across multiple keys if needed. For higher limits, contact [email protected].

Troubleshooting

Invalid API Key Error

{
  "error": {
    "message": "Invalid API key provided",
    "type": "authentication_error",
    "code": "invalid_api_key"
  }
}
How to fix this:
  1. Check your API key format: Your key should start with pg_live_ or pg_test_ followed by 8 characters, an underscore, and 24 characters
    • ✅ Correct: pg_live_12345678_abcdefghijklmnopqrstuvwx
    • ❌ Wrong: pg_live 12345678 (has a space)
  2. Verify there are no extra spaces: Copy your key again from the dashboard and ensure there are no leading/trailing spaces
  3. Check if the key was deleted: Navigate to your project dashboard → API Keys to see if the key still exists
  4. Verify environment match: Make sure you’re using:
    • pg_live_... keys in production
    • pg_test_... keys in development
  5. Try creating a new key: If issues persist, create a new API key from your dashboard

Project Mismatch Error

{
  "error": {
    "message": "API key does not belong to this project",
    "type": "authorization_error",
    "code": "project_mismatch"
  }
}
How to fix this:
  1. Check your API key’s project:
    • Go to your dashboard → Projects → API Keys
    • Verify which project the key belongs to
  2. Use the correct key:
    • Ensure you’re using an API key from the project you want to access
    • Create a new key in the correct project if needed
  3. Verify project settings:
    • Check that the project has the correct preset and policies configured
    • Ensure the project is active and not deleted
  4. Contact support: If issues persist, email [email protected]

Rate Limited Error

{
  "error": {
    "message": "Rate limit exceeded",
    "type": "rate_limit_error",
    "code": "too_many_requests"
  }
}
How to fix this:
  1. Implement exponential backoff in your code to retry requests with increasing delays: 
    // Example: Wait 1s, then 2s, then 4s before retrying
const delay = Math.pow(2, retryCount) * 1000;
await new Promise(resolve => setTimeout(resolve, delay));
  2. Distribute requests across multiple API keys to stay within per-key limits
  3. Check your current usage in the dashboard to see how close you are to your limits
  4. Upgrade your plan if you consistently hit rate limits:

Next Steps

Make Your First Request

Test your API key with a simple request

Integration Guides

Language-specific setup instructions

Security Policies

Configure protection for your use case

Usage Monitoring

Track API usage and security events