API keys go through a multi-layer security process:
- At creation, the raw key is shown once and never stored. Only a SHA-256 hash is persisted.
- The key prefix (first 8 characters) is stored for identification in logs and the dashboard.
- At the edge, the Cloudflare Worker authenticates the key via KV lookup, verifies the hash, and strips the raw key from the request before forwarding to the application backend.
- Internal requests carry signed context such as the developer ID, key ID, tier, and org scope.
If a key is compromised, revoke it immediately from the dashboard. A new key can be created in seconds.