API Keys
API keys allow your server to authenticate with the DailyPlay API. Keys are created from the
dashboard and used in the x-api-key header when making API calls.
Creating an API Key
Section titled “Creating an API Key”- Log in to the DailyPlay dashboard
- Navigate to Connect → API Keys in the sidebar
- Click Create API Key
- Enter a name (e.g., “Production CRM”) and an optional description
- Optionally set an expiration date
- Click Create
:::caution Copy the generated key immediately — it is only shown once and cannot be retrieved later. :::
The key format is dpk_<40 hex characters>, for example:
dpk_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0Key Scoping
Section titled “Key Scoping”API keys can be scoped to restrict which resources they can access:
| Scope | Description |
|---|---|
| All games & streams | Default — the key can create sessions for any resource in the org |
| Specific games | Restrict to a list of game IDs |
| Specific streams | Restrict to a list of stream IDs |
Attempting to create a session for a resource outside the key’s scope returns a 403 Forbidden
error.
Rate Limits
Section titled “Rate Limits”Each API key has configurable rate limits:
| Limit | Default | Description |
|---|---|---|
| Per minute | 60 | Maximum requests per minute |
| Per day | 10,000 | Maximum requests per day |
When a rate limit is exceeded, the API returns a 429 Too Many Requests response.
Revoking a Key
Section titled “Revoking a Key”You can revoke an API key at any time from the dashboard:
- Go to Connect → API Keys
- Find the key in the list (identified by its
dpk_****prefix and name) - Click the revoke action
Revoking a key:
- Immediately blocks all future API calls using that key
- Does not invalidate session tokens already created with the key
- Preserves the audit trail — the key record is retained but marked inactive
- Can be reactivated if needed
Security
Section titled “Security”- Keys are hashed with SHA-256 before storage — raw keys cannot be recovered from the database
- Only the first 8 characters (
dpk_xxxx) are stored in plaintext for identification - Keys can be set to expire automatically on a specific date
- All key usage is logged for auditing purposes
Managing Keys via API
Section titled “Managing Keys via API”You can also manage API keys programmatically using authenticated requests (Clerk bearer token):
| Method | Endpoint | Description |
|---|---|---|
GET | /api/org-api-keys?org_id=<id> | List all API keys for an org |
POST | /api/org-api-keys | Create a new API key |
PATCH | /api/org-api-keys | Update or revoke an API key |
DELETE | /api/org-api-keys?id=<id>&org_id=<id> | Permanently delete an API key |
Create a Key (API)
Section titled “Create a Key (API)”curl -X POST https://app.dailyplay.ai/api/org-api-keys \ -H "Authorization: Bearer <clerk_token>" \ -H "Content-Type: application/json" \ -d '{ "org_id": 1, "name": "Production CRM", "description": "Used by the CRM to issue game links", "allowed_game_ids": [42, 43], "rate_limit_per_minute": 60, "rate_limit_per_day": 10000, "expires_at": "2027-01-01T00:00:00Z" }'The response includes the raw key (shown only once):
{ "success": true, "data": { "id": 1, "name": "Production CRM", "key_prefix": "dpk_a1b2", "key": "dpk_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0" }}