Authentication & Authorization
Secure your API access with API keys and permissions
🔐 Security Overview
• All API requests require authentication via API keys
• API keys use Bearer token authentication
• Fine-grained permissions control what each key can do
• Rate limiting prevents abuse and ensures fair usage
• Keys can be deactivated or deleted instantly
API Key Management
Creating API Keys
API keys are created through your dashboard and provide programmatic access to your QR codes.
- 1. Log in to your QR Fast account
- 2. Navigate to API Keys in your dashboard
- 3. Click "Create New API Key"
- 4. Enter a descriptive name (e.g., "Production App", "Development")
- 5. Select the permissions needed for your use case
- 6. Optionally configure custom rate limits
- 7. Click "Create" and immediately copy the generated key
⚠️ Important: API keys are only shown once upon creation. Store them securely in your application's configuration or environment variables.
API Key Format
QR Fast API keys follow a consistent format for easy identification:
qrfast_[40_character_random_string]
Example: qrfast_2687e7155fc9ab968b17903f079d699b4b8fd0ef57ff77677c5d1a72bf43606e
Authentication Methods
Bearer Token Authentication
Include your API key in the Authorization header using the Bearer token format:
Authorization: Bearer YOUR_API_KEY
cURL Example
JavaScript Example
const response = await fetch('https://qrfa.st/api/v1/qrcode', { headers: { 'Authorization': 'Bearer qrfast_your_api_key_here', 'Content-Type': 'application/json' } });
Python Example
import requests headers = { 'Authorization': 'Bearer qrfast_your_api_key_here', 'Content-Type': 'application/json' } response = requests.get('https://qrfa.st/api/v1/qrcode', headers=headers)
Permissions System
Available Permissions
Each API key can be configured with specific permissions to limit what operations it can perform:
qrcode:create
Create new QR codes
qrcode:read
View QR code details and list QR codes
qrcode:update
Modify existing QR codes
qrcode:delete
Delete QR codes
Permission Examples
Read-Only API Key
Perfect for analytics dashboards or monitoring systems:
["qrcode:read"]
Content Management API Key
For applications that create and update QR codes but don't delete:
["qrcode:create", "qrcode:read", "qrcode:update"]
Full Access API Key
Complete control over QR codes (use with caution):
["qrcode:create", "qrcode:read", "qrcode:update", "qrcode:delete"]
Security Best Practices
🛡️ Protecting Your API Keys
✅ Do
- • Store keys in environment variables
- • Use different keys for different environments
- • Apply principle of least privilege
- • Rotate keys regularly
- • Monitor API usage for anomalies
- • Use HTTPS for all API calls
❌ Don't
- • Hard-code keys in your source code
- • Commit keys to version control
- • Share keys in plain text
- • Use the same key across environments
- • Grant more permissions than needed
- • Ignore suspicious usage patterns
Environment Variables
Store your API keys as environment variables to keep them secure:
.env File
Node.js Usage
const apiKey = process.env.QRFAST_API_KEY; const apiUrl = process.env.QRFAST_API_URL; const response = await fetch(`${apiUrl}/qrcode`, { headers: { 'Authorization': `Bearer ${apiKey}` } });
Python Usage
import os api_key = os.environ['QRFAST_API_KEY'] api_url = os.environ['QRFAST_API_URL'] headers = {'Authorization': f'Bearer {api_key}'} response = requests.get(f'{api_url}/qrcode', headers=headers)
Authentication Errors
Common Authentication Errors
401 Unauthorized
The API key is missing, invalid, or inactive:
{ "error": "UNAUTHORIZED", "message": "Invalid or missing API key" }
Check that you're including the Authorization header and that your API key is correct.
403 Forbidden
The API key lacks permission for the requested operation:
{ "error": "FORBIDDEN", "message": "Insufficient permissions for this operation" }
Update your API key permissions or use a different key with the required permissions.
429 Too Many Requests
You've exceeded the rate limit for your API key:
{ "error": "RATE_LIMIT_EXCEEDED", "message": "Rate limit exceeded. Try again later." }
Wait for the rate limit window to reset or request higher limits for your API key.
⏱️ Rate Limiting
Default Limits
- • 100 requests per 15-minute window
- • Limits apply per API key
- • Resets automatically every 15 minutes
Rate Limit Headers
Every API response includes rate limit information:
X-RateLimit-Limit: 100 X-RateLimit-Remaining: 87 X-RateLimit-Reset: 1610712900
Custom Rate Limits
You can configure custom rate limits when creating API keys for specific use cases.