API Key Management
Soku provides API keys that let you access the Public API programmatically. You can generate, view, and revoke API keys from the API Key Management page at /settings/api.
Accessing API Key Management
- Log in to your Soku dashboard at mysoku.io.
- Go to Settings in the main sidebar.
- Click the API tab (or navigate directly to /settings/api).
Generating a New API Key
- On the API Key Management page, click Generate New Key.
- Give your key a descriptive name (for example, “Production Server” or “Zapier Integration”).
- Click Create.
- Your new API key is displayed on screen.
Your API key is only shown once at the time of creation. Copy it immediately and store it in a secure location (such as a password manager or environment variable). You will not be able to view the full key again.
Soku API keys follow this format:
sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sk_live_ prefix, followed by a unique string of characters.
How Keys Are Stored
For security, Soku does not store your API key in plain text. When you create a key, the raw key is shown to you once, and then a SHA-256 hash of the key is stored on our servers. This means:
- Soku can verify your key when you use it, but cannot retrieve the original key.
- If you lose your key, you must revoke it and generate a new one.
- Your key cannot be exposed even if our database were compromised.
Viewing Your Keys
The API Key Management page shows a list of all your active API keys, including:
| Column | Description |
|---|
| Name | The label you gave the key when you created it. |
| Key preview | The first and last few characters of the key (e.g., sk_live_abc...xyz). The full key is not shown. |
| Created date | When the key was generated. |
| Status | Whether the key is active or revoked. |
Copying a Key
When you first generate a key, a Copy button is available next to the displayed key. Click it to copy the full key to your clipboard.
After you leave the page or refresh, the full key is no longer available. Only the preview (first and last characters) is shown.
Revoking a Key
If a key is compromised or no longer needed:
- Go to Settings > API.
- Find the key in your list.
- Click Revoke.
- Confirm the revocation.
Once revoked, the key immediately stops working. Any API requests using the revoked key will receive a 401 Unauthorized response.
Revoking a key is permanent and takes effect immediately. Make sure any applications using the key are updated to use a new key before revoking the old one.
Using Your API Key
Include your API key in the Authorization header of every API request:
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Best Practices
| Practice | Why |
|---|
| Store keys in environment variables | Never hardcode API keys in source code or commit them to version control. |
| Use descriptive names | Name your keys after their purpose (e.g., “Production”, “Staging”, “CI/CD Pipeline”) so you can identify them later. |
| Rotate keys periodically | Generate a new key and revoke the old one on a regular schedule to reduce risk. |
| Revoke unused keys | If a key is no longer in use, revoke it immediately. |
| One key per integration | Use separate keys for different applications or environments so you can revoke one without affecting others. |
Troubleshooting
| Problem | Solution |
|---|
| Lost my API key | Generate a new key and revoke the lost one. The original key cannot be retrieved. |
API returns 401 Unauthorized | Check that you are using the correct key, that it has not been revoked, and that it is included in the Authorization header as a Bearer token. |
| Key not working after creation | Make sure you copied the full key (including the sk_live_ prefix) and that there are no extra spaces. |
Related Pages
