> ## Documentation Index
> Fetch the complete documentation index at: https://developer.verilock.io/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create and manage API keys from the Verilock dashboard.

## Getting Your API Key

<Steps>
  <Step title="Sign in to your Dashboard">
    Go to [verilock.io/dashboard](https://verilock.io/dashboard) and sign in with your account.
  </Step>

  <Step title="Navigate to API Keys">
    Open **Settings > API Keys** from the sidebar.
  </Step>

  <Step title="Create a new key">
    Click **"Create API Key"**, give it a descriptive name (e.g., `Production Backend`, `Staging Server`), and copy the generated key.
  </Step>
</Steps>

<Warning>
  The full API key is displayed only once at creation. Store it in a secure secrets manager immediately. If lost, revoke the key and create a new one.
</Warning>

## Key Properties

| Property       | Type     | Description                                                    |
| -------------- | -------- | -------------------------------------------------------------- |
| `name`         | string   | Human-readable label for identification                        |
| `key`          | string   | The API key value -- use in the `Authorization: Bearer` header |
| `prefix`       | string   | `qi_live_` for production, `qi_test_` for sandbox              |
| `created_at`   | datetime | When the key was generated                                     |
| `last_used_at` | datetime | Last time the key was used for an API call                     |

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use environment variables" icon="terminal">
    Store keys in `VERILOCK_API_KEY` env vars. Never hardcode them in source code.
  </Card>

  <Card title="Separate environments" icon="code-branch">
    Use distinct keys for development, staging, and production. Revoke keys when environments are decommissioned.
  </Card>

  <Card title="Rotate regularly" icon="rotate">
    Rotate production keys quarterly. Create the new key, update your services, then revoke the old key.
  </Card>

  <Card title="Server-side only" icon="server">
    Never include API keys in frontend code, mobile apps, or client-side JavaScript. All calls must come from your backend.
  </Card>
</CardGroup>

## Example Configuration

<CodeGroup>
  ```bash .env theme={null}
  VERILOCK_API_KEY=qi_live_your_api_key_here
  VERILOCK_WEBHOOK_SECRET=whsec_your_webhook_secret_here
  ```

  ```php Laravel (config/services.php) theme={null}
  'verilock' => [
      'api_key' => env('VERILOCK_API_KEY'),
      'webhook_secret' => env('VERILOCK_WEBHOOK_SECRET'),
  ],
  ```

  ```javascript Node.js theme={null}
  const verilock = new Verilock(process.env.VERILOCK_API_KEY);
  ```
</CodeGroup>
