Skip to main content
DriveDecision

Authentication

Learn how to authenticate your API requests with API keys.

API Keys

DriveDecision uses API keys to authenticate requests. You can manage your API keys from yourdashboard.

Keep your API keys secure

Never expose your API keys in client-side code, public repositories, or anywhere they could be accessed by others. API keys carry your account's privileges.

Using Your API Key

Include your API key in the Authorization header with every request:

Authorization Header
Authorization: Bearer YOUR_API_KEY

Example Request

bash
curl -X GET "https://api.drivedecision.com/v1/vehicles/honda/civic" \
  -H "Authorization: Bearer dd_live_abc123xyz789" \
  -H "Content-Type: application/json"

API Key Types

DriveDecision provides two types of API keys for different environments:

Live Keys

dd_live_*

Use in production. Requests count against your quota and rate limits.

Test Keys

dd_test_*

Use in development. Returns mock data and doesn't count against quota.

Managing API Keys

From your dashboard, you can:

  • Create new keys - Generate multiple keys for different applications
  • Revoke keys - Immediately disable compromised or unused keys
  • View usage - Monitor requests per key
  • Set restrictions - Limit keys to specific IP addresses or domains

Authentication Errors

When authentication fails, the API returns one of these errors:

ErrorHTTPCause
INVALID_API_KEY401The API key is invalid, revoked, or doesn't exist
MISSING_API_KEY401No Authorization header provided
EXPIRED_API_KEY401The API key has expired (enterprise keys only)
IP_RESTRICTED403Request IP not in allowed list for this key

Example Error Response

json
{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "The API key provided is invalid or has been revoked.",
    "hint": "Check your API key in the dashboard at drivedecision.com/dashboard"
  }
}

Security Best Practices

Use environment variables

Store your API key in environment variables, never hardcode it in your application.

Use server-side only

Make API calls from your backend server. Never expose keys in frontend JavaScript.

Rotate keys periodically

Create new keys and revoke old ones periodically, especially if team members change.

Use IP restrictions

For production, restrict API keys to known server IP addresses.