API Keys
Every request to the Quiz Quail API must be authenticated with an API key. You can create and manage keys from your dashboard settings.Key Format
API keys use the prefixqk_live_ followed by 40 hex characters:
Creating a Key
- Go to Settings > API Keys in the Quiz Quail dashboard.
- Click Create API Key.
- Give the key a descriptive name (e.g., “CI Pipeline” or “Mobile App”).
- Select the scopes your key needs.
- Copy the key immediately and store it in a secure location.
Revoking a Key
You can revoke a key at any time from the API Keys settings page. Revoked keys are rejected immediately on the next request. Revocation cannot be undone — you will need to create a new key.Using Your API Key
Pass your API key in theAuthorization header as a Bearer token.
Scopes
Each API key is assigned one or more scopes that control which endpoints it can access. Follow the principle of least privilege — only grant the scopes your integration actually needs.Available Scopes
| Scope | Description |
|---|---|
quizzes:read | Read quizzes, rounds, and questions |
quizzes:write | Create, update, and delete quizzes |
themes:read | Read themes |
themes:write | Create, update, and delete themes |
media:read | Read and list media files |
media:write | Upload and delete media files |
renders:read | Read render jobs and their status |
renders:write | Create and manage render jobs |
youtube:read | Read YouTube upload status and metadata |
youtube:write | Upload videos to YouTube and manage uploads |
webhooks:read | Read webhook configurations |
webhooks:write | Create, update, and delete webhooks |
ai:read | Read AI generation history and status |
ai:write | Generate quizzes and content using AI |
Common Scope Combinations
| Use Case | Recommended Scopes |
|---|---|
| Read-only dashboard | quizzes:read, themes:read, renders:read |
| CI/CD rendering pipeline | quizzes:read, renders:read, renders:write |
| Full quiz management | quizzes:read, quizzes:write, themes:read, themes:write, media:read, media:write |
| YouTube publishing | renders:read, youtube:read, youtube:write |
| AI-powered quiz creation | quizzes:read, quizzes:write, ai:read, ai:write |
Error Responses
Authentication and authorization errors follow the RFC 9457 Problem Details format.401 Unauthorized
Returned when no valid credentials are provided — the key is missing, malformed, or revoked.- Missing
Authorizationheader - Incorrect key (typo or wrong environment)
- Key has been revoked
403 Forbidden
Returned when your key is valid but does not have the required scopes for the endpoint.detail field tells you exactly which scopes are missing versus which scopes your key has.
Security Best Practices
Store keys in environment variables
Store keys in environment variables
Never hard-code API keys in source code. Use environment variables or a secrets manager.
Use minimum required scopes
Use minimum required scopes
Grant each key only the scopes it needs. A rendering pipeline does not need
quizzes:write. A read-only dashboard does not need media:write. If a key is compromised, limited scopes reduce the blast radius.Rotate keys regularly
Rotate keys regularly
Create a new key, update your integration to use it, then revoke the old key. This limits the window of exposure if a key is leaked.
Use separate keys per environment
Use separate keys per environment
Create distinct keys for development, staging, and production. If a development key is exposed, your production data is unaffected.
Never expose keys in client-side code
Never expose keys in client-side code
API keys should only be used in server-side code. Never embed them in JavaScript bundles, mobile apps, or browser requests where they can be inspected.
Monitor key usage
Monitor key usage
Check the Last Used column in your API Keys settings to identify unused keys. Revoke any key that is no longer in active use.