QRForge uses bearer-token authentication over HTTPS. Every API request must include your key in the Authorization header:
Authorization: Bearer qrf_YOUR_KEY_HERE
Keys are created in the dashboard at /dashboard/keys. When you create a key, the full value is shown exactly once in a green box. Copy it immediately — we hash keys on storage and cannot show the original after that. If you lose a key, revoke it from the dashboard and create a new one.
For production use, keep keys out of source control: set them as environment variables, inject them from your secret manager, or use a server-side proxy so the key never reaches a browser. The dashboard lets you create multiple keys, name them (e.g. 'staging', 'production'), and revoke any key individually so a leaked credential can be invalidated without rotating the others.
Each key has its own rate limit visible in the dashboard. The API response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers so your client can back off cleanly when approaching the limit.