Every call to the RFCCheck API is authenticated with an API key passed in the x-api-key header. Keys are bound to an account or an organization and inherit that owner's plan and balance.
Generating a key
Open API Keys in your dashboard and click Create key. Give the key a label so future-you can tell apart your CI key from your production key.
Keys are shown only once at creation time. Copy yours into a secret manager (1Password, AWS Secrets Manager, Doppler, .env, your CI provider's secrets) before navigating away. If you lose a key, delete it and create a new one. There is no way to recover it.
Using a key
Pass the key in the x-api-key header on every request:
curl -X POST https://rfccheck.com/v1/rfc/verify \
-H "x-api-key: rfc_your_api_key" \
-H "Content-Type: application/json" \
-d '{"rfc": "XAXX010101000"}'await fetch("https://rfccheck.com/v1/rfc/verify", {
method: "POST",
headers: {
"x-api-key": process.env.RFCCHECK_API_KEY,
"Content-Type": "application/json",
},
body: JSON.stringify({ rfc: "XAXX010101000" }),
});import os, requests
requests.post(
"https://rfccheck.com/v1/rfc/verify",
headers={"x-api-key": os.environ["RFCCHECK_API_KEY"]},
json={"rfc": "XAXX010101000"},
)Rotating keys
Rotate keys whenever a teammate leaves or a key may have been exposed. The recommended pattern: create the new key, deploy it to your secret store, switch traffic over, then delete the old key from the dashboard.
Organization keys
Keys created inside an organization (under /org/:slug/api-keys) bill against the organization's plan and balance, not the creator's personal account. Use organization keys whenever the cost should be attributed to a team rather than an individual.
Error responses
-
401 Unauthorized: the key is missing, malformed, or has been deleted. -
402 Payment Required: the key authenticated, but the owner has no remaining credits or prepaid balance. -
429 Too Many Requests: rate limit exceeded. Back off and retry.