Skip to main content

API Keys

API keys are used to identify your project and authenticate requests. Each key is scoped to a single project.

Using Your API Key

Include your API key in the x-api-key header with every request: 
curl https://api.usethunder.com/v1/ingest \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '...'

Key Format

API keys follow this format: 
tk_live_abc123def456...
  • tk_ - Thunder key prefix
  • live_ or test_ - Environment indicator
  • Random alphanumeric string
Never expose your API keys in client-side code or public repositories. API keys should only be used in server-side applications.

Error Responses

Missing API Key

If you forget to include the x-api-key header: 
{
  "success": false,
  "error": {
    "code": "MISSING_API_KEY",
    "message": "x-api-key header is required"
  }
}
Status code: 401 Unauthorized

Invalid API Key

If your API key is incorrect or has been revoked: 
{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "Invalid or inactive API key"
  }
}
Status code: 401 Unauthorized

Rate Limiting

The API enforces rate limits to ensure fair usage:
LimitValue
Requests per second1,000
Max messages per ingest request10,000
When you exceed the rate limit, you’ll receive a 429 Too Many Requests response. Implement exponential backoff in your integration to handle rate limits gracefully.

Security Best Practices

Use environment variables or a secrets manager. Never hardcode API keys in your source code.
Make API calls from your backend, not from browsers or mobile apps where keys could be extracted.
Create new keys and revoke old ones on a regular schedule. This limits the impact if a key is compromised.
Use different API keys for development, staging, and production to maintain isolation.