Skip to main content

Overview

API keys are used to authenticate your requests to the Chidori API. Each key is tied to your account and can be configured with specific permissions and environment modes.

API key structure

Chidori API keys follow this format: 
sk_{mode}_{id}.{secret}
ComponentDescription
sk_Prefix indicating a secret key
{mode}Either sandbox or live
{id}Unique identifier (UUID)
{secret}32-character secret hash
Example keys: 
sk_sandbox_7c9aa6f0-0f62-4bb2-a3aa-6c7bbf7b9a1a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
sk_live_8d0bb7f1-1g73-5cc3-b4bb-7d8ccg8c0b2b.bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

Creating API keys

1

Log in to your dashboard

Navigate to chidori.africa/dashboard and sign in.
2

Go to API Keys section

Find the API Keys section in your dashboard navigation.
3

Create a new key

Click Create API Key and fill in the details:
  • Name: A descriptive name (e.g., “Production Server”, “Development”)
  • Mode: Choose sandbox for testing or live for production
  • Permissions: Select the permissions this key should have
4

Copy your key

The full API key is only displayed once. Copy it immediately and store it securely.
After creation, you will see the complete API key. Copy it and store it in a secure location like a password manager or environment variables.

Using API keys

Include your API key in the X-API-Key header for all API requests: 
curl https://api.chidori.africa/api/deliveries/list \
  -H "X-API-Key: sk_live_xxx.yyy"

Revoking API keys

If an API key is compromised or no longer needed, revoke it immediately:
1

Access your dashboard

Go to chidori.africa/dashboard.
2

Find the key

Locate the API key you want to revoke in the API Keys section.
3

Revoke the key

Click the revoke button. The key will be immediately invalidated.
Revoking a key is permanent. Any applications using that key will immediately lose access.

Security best practices

API keys should only be used in server-side code. Never include them in:
  • JavaScript running in browsers
  • Mobile app source code
  • Public repositories
  • Client-side configuration files
Store API keys in environment variables, not in your codebase:
# .env file (never commit this)
CHIDORI_API_KEY=sk_live_xxx.yyy

// Access in your code
const apiKey = process.env.CHIDORI_API_KEY;
Create different API keys for:
  • Local development (sandbox)
  • Staging/testing (sandbox)
  • Production (live)
Regularly rotate your API keys, especially for production environments. Create a new key, update your applications, then revoke the old key.
Only grant the permissions each key actually needs. See Permissions for details.

Error responses

When authentication fails, you will receive one of these errors:
Status CodeMessageCause
401UnauthorizedMissing or invalid API key
403ForbiddenKey lacks required permission
{
  "status": false,
  "message": "Unauthorized"
}

{
  "status": false,
  "message": "Missing required permission: delivery:create"
}

Next steps

Permissions

Learn about API key permissions.

Environments

Understand sandbox vs live environments.