Authentication & Authorization

Secure your API access with API keys and permissions

🔐 Security Overview

• All API requests require authentication via API keys

• API keys use Bearer token authentication

• Fine-grained permissions control what each key can do

• Rate limiting prevents abuse and ensures fair usage

• Keys can be deactivated or deleted instantly

API Key Management

Creating API Keys

API keys are created through your dashboard and provide programmatic access to your QR codes.

  1. 1. Log in to your QR Fast account
  2. 2. Navigate to API Keys in your dashboard
  3. 3. Click "Create New API Key"
  4. 4. Enter a descriptive name (e.g., "Production App", "Development")
  5. 5. Select the permissions needed for your use case
  6. 6. Optionally configure custom rate limits
  7. 7. Click "Create" and immediately copy the generated key

⚠️ Important: API keys are only shown once upon creation. Store them securely in your application's configuration or environment variables.

API Key Format

QR Fast API keys follow a consistent format for easy identification:

qrfast_[40_character_random_string]

Example: qrfast_2687e7155fc9ab968b17903f079d699b4b8fd0ef57ff77677c5d1a72bf43606e

Authentication Methods

Bearer Token Authentication

Include your API key in the Authorization header using the Bearer token format:

Authorization: Bearer YOUR_API_KEY

cURL Example

curl -H "Authorization: Bearer qrfast_your_api_key_here" \
  https://qrfa.st/api/v1/qrcode

JavaScript Example

const response = await fetch('https://qrfa.st/api/v1/qrcode', {
  headers: {
    'Authorization': 'Bearer qrfast_your_api_key_here',
    'Content-Type': 'application/json'
  }
});

Python Example

import requests

headers = {
    'Authorization': 'Bearer qrfast_your_api_key_here',
    'Content-Type': 'application/json'
}

response = requests.get('https://qrfa.st/api/v1/qrcode', headers=headers)

Permissions System

Available Permissions

Each API key can be configured with specific permissions to limit what operations it can perform:

qrcode:create

Create new QR codes

👁qrcode:read

View QR code details and list QR codes

✏️qrcode:update

Modify existing QR codes

🗑qrcode:delete

Delete QR codes

Permission Examples

Read-Only API Key

Perfect for analytics dashboards or monitoring systems:

["qrcode:read"]

Content Management API Key

For applications that create and update QR codes but don't delete:

["qrcode:create", "qrcode:read", "qrcode:update"]

Full Access API Key

Complete control over QR codes (use with caution):

["qrcode:create", "qrcode:read", "qrcode:update", "qrcode:delete"]

Security Best Practices

🛡️ Protecting Your API Keys

✅ Do

  • • Store keys in environment variables
  • • Use different keys for different environments
  • • Apply principle of least privilege
  • • Rotate keys regularly
  • • Monitor API usage for anomalies
  • • Use HTTPS for all API calls

❌ Don't

  • • Hard-code keys in your source code
  • • Commit keys to version control
  • • Share keys in plain text
  • • Use the same key across environments
  • • Grant more permissions than needed
  • • Ignore suspicious usage patterns

Environment Variables

Store your API keys as environment variables to keep them secure:

.env File

QRFAST_API_KEY=qrfast_your_api_key_here
QRFAST_API_URL=https://qrfa.st/api/v1

Node.js Usage

const apiKey = process.env.QRFAST_API_KEY;
const apiUrl = process.env.QRFAST_API_URL;

const response = await fetch(`${apiUrl}/qrcode`, {
  headers: {
    'Authorization': `Bearer ${apiKey}`
  }
});

Python Usage

import os

api_key = os.environ['QRFAST_API_KEY']
api_url = os.environ['QRFAST_API_URL']

headers = {'Authorization': f'Bearer {api_key}'}
response = requests.get(f'{api_url}/qrcode', headers=headers)

Authentication Errors

Common Authentication Errors

401 Unauthorized

The API key is missing, invalid, or inactive:

{
  "error": "UNAUTHORIZED",
  "message": "Invalid or missing API key"
}

Check that you're including the Authorization header and that your API key is correct.

403 Forbidden

The API key lacks permission for the requested operation:

{
  "error": "FORBIDDEN", 
  "message": "Insufficient permissions for this operation"
}

Update your API key permissions or use a different key with the required permissions.

429 Too Many Requests

You've exceeded the rate limit for your API key:

{
  "error": "RATE_LIMIT_EXCEEDED",
  "message": "Rate limit exceeded. Try again later."
}

Wait for the rate limit window to reset or request higher limits for your API key.

⏱️ Rate Limiting

Default Limits

  • • 100 requests per 15-minute window
  • • Limits apply per API key
  • • Resets automatically every 15 minutes

Rate Limit Headers

Every API response includes rate limit information:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1610712900

Custom Rate Limits

You can configure custom rate limits when creating API keys for specific use cases.