Authentication

Authenticate your API requests with an API key.

API Keys

All API requests require an API key passed via the X-API-Key header.

bash
curl -X POST https://api.fingerprintiq.com/v1/identify \
  -H "Content-Type: application/json" \
  -H "X-API-Key: fiq_live_your_api_key" \
  -d '{"signals": {...}}'

Key Types

X-API-Key string required

Your API key. Two formats are supported:

  • fiq_live_ — Live key for production traffic. Counts toward your monthly quota.
  • fiq_test_ — Test key for development and staging. Full functionality, excluded from monthly quota.

Use test keys (fiq_test_) in your CI/CD pipeline, staging environments, and local development. This keeps your production quota clean and makes it easy to distinguish production traffic in your dashboard.

Creating API Keys

1

Sign in to the dashboard

Go to fingerprintiq.com/dashboard and sign in.

2

Select API Keys from the left sidebar.

3

Create a new key

Click Create Key, give it a descriptive name (e.g., "Production Web App"), and select the key type.

4

Copy the key immediately

The full key value is shown only once at creation. Copy it to your secrets manager before closing the dialog.

API keys are shown only once at creation time. If you lose a key, revoke it and create a new one — there is no way to retrieve the original value.

Rate Limits

PlanRequests/secondMonthly limit
Free1010,000
Builder1,00050,000
Growth1,000250,000
Scale1,0002,000,000

When rate limited, the API returns 429 Too Many Requests with a JSON body describing the limit:

json
{
  "error": "Monthly API call limit exceeded",
  "usage": 10001,
  "limit": 10000
}

The per-second rate limit applies to burst traffic. If your application generates identification requests in bursts (e.g., page load events), implement exponential backoff on 429 responses.

Security Best Practices

Never expose your API key in client-side JavaScript, public repositories, or build artifacts. Use environment variables on your server and NEXT_PUBLIC_ / Vite import.meta.env.VITE_ prefixes only for public keys used directly in the browser SDK.

  • Server-side keys — Use for calling the visits API (/v1/demo/visits/:id). These keys must never reach the browser.
  • Client-side keys — The SDK uses your key to call /v1/identify. This endpoint enforces domain allowlisting, so even if the key is visible in source, it cannot be used from unauthorized domains.
  • Key rotation — Rotate keys periodically (every 90 days) and immediately if you suspect exposure.
Previous Web3 Signals
Next POST /v1/identify
Ask a question... ⌘I