ReleaseAnchor
Docs

API Keys

API keys authenticate your application to the ReleaseAnchor evaluation API. Each key is tied to a specific environment.

Key format

ra_{env-slug}_{43-char-secret}

The key is derived from the environment name — Production becomes production, Staging Server becomes staging_server. The suffix is a cryptographically random 43-character URL-safe base64 string.

The full raw key is hashed with SHA-256 for storage. Only the first 12 characters (ra_productio…) are stored in plaintext and shown as the Prefix column in the dashboard. The raw key is shown only once at creation time.

Authorization header

Pass the key in the Authorization header on every evaluation request:

curl --location 'https://api.releaseanchor.com/v1/evaluate' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: ApiKey <YOUR_API_KEY>' \
  --data '{"flagKey": "new-checkout", "userIdentifier": "10912394"}'

The header format is Authorization: ApiKey <key> — not Bearer, not X-API-Key.

Store your API key securely immediately after creation. It will not be shown again. If you lose it, revoke it and generate a new one.

Creating a key

  1. 1
    Open environment settings

    Navigate to your project, select the environment you want the key for, and go to API Keys.

  2. 2
    Generate the key

    Click New Key. Enter a descriptive name (e.g. Production Server, Staging Server). Click Create.

  3. 3
    Copy and store the key

    Copy the full key immediately. It is displayed only this one time. Store it in your secret manager or as an environment variable.

    # In your server environment
RELEASE_ANCHOR_KEY=<YOUR_API_KEY>

Active vs. revoked

A key is active when its revokedAt timestamp is null. When revoked, revokedAt is set to the revocation time. Revoked keys are still shown in the list with a revoked badge but no longer authenticate requests.

Revoked keys are rejected immediately — the next request using a revoked key receives a 401 Unauthorized response.

Revoking a key

Go to API Keys → find the key → click Revoke → confirm.

Revocation is immediate. Update your application's environment variables with a new key before revoking the old one to avoid downtime.

If you suspect a key has been exposed (e.g. accidentally committed to git), generate a replacement key first, update your servers, then revoke the exposed key.

Security best practices

  • Store keys in environment variables or a secret manager — never hardcode them in source code
  • Use a separate key per environment — do not reuse a Production key in Staging
  • Use a separate key per service if multiple services evaluate flags — easier to rotate if one is compromised
Was this helpful?