Manage API keys for secure access
Create and manage API keys for authenticating with the Edge API. Revoke keys when needed and monitor last-used timestamps.
How scoped API keys provide secure access
API keys are created per project and authenticate requests to the Edge API. Each key is associated with a project and grants full access to that project's lookup and export endpoints.
Each key is generated with a recognizable prefix (e.g., redir_live_) for easy identification in code and logs. Keys are stored as salted SHA-256 hashes — the full key is only shown once at creation time and cannot be retrieved afterward.
To rotate a key, create a new key, update your services to use the new key, then revoke the old one. This manual workflow ensures you have full control over the transition process.
Why teams choose this
Built for performance, reliability, and developer experience.
Key Creation
Create named API keys per project for authenticating with the Edge API.
Secure Storage
Keys are stored as salted hashes — the full key is shown once at creation and cannot be retrieved.
Key Revocation
Revoke compromised keys instantly. Create a new key, update clients, then revoke the old one.
Last Used Tracking
See when each key was last used to identify inactive keys for cleanup.
API key management use cases
Service-to-service auth
Create dedicated keys for each service that queries the Edge API, making it easy to revoke one without affecting others.
Key per environment
Use separate API keys for development, staging, and production environments for clear separation.
CI/CD pipelines
Create dedicated keys for your CI/CD system to trigger deployments via the API.
Key hygiene
Use last-used timestamps to identify and revoke unused keys, keeping your key inventory clean and secure.
How we compare
See how Redirections compares to alternatives.
Defense in depth for your redirect API
API keys provide authentication for the Edge API without exposing your Convex credentials. Each key is scoped to a single project, so a compromised key only affects one project's data. Creating separate keys for different services or environments makes it easy to revoke one without disrupting others.
Last-used timestamps are tracked for each key, helping you identify keys that are no longer in active use. Regular key audits — reviewing last-used dates and revoking unused keys — are a simple way to maintain good security hygiene.
Keys are permanent until manually revoked. When you revoke a key, it is immediately invalidated and can no longer authenticate API requests. The key prefix remains visible in your dashboard for audit purposes even after revocation.
Related Articles
Dynamic Edge Redirects: Low-Latency Lookups for Nginx and Next.js
Implementing sub-10ms redirect lookups at the edge using Nginx maps and Next.js Edge Config.
Architecting Edge Redirects: Reducing Latency and Enhancing Privacy in 2026
Optimizing redirect patterns using CDN Rules Engines and Edge Workers to achieve sub-50ms global latency.
Related features
Explore more capabilities that work great together.
Secure your API access
Create API keys for authenticating with the Edge API. Free tier includes 1 key per project.
No credit card required · Free tier available