Authentication

Meter uses API keys to authenticate requests. All API requests must include your API key to identify your account and track usage.

Getting your API key

Sign up or log in at meter.sh
Navigate to your dashboard
Click Generate API Key
Copy your API key immediately—it will only be shown once

Save your API key immediately. For security, Meter only shows the full API key once during creation. After that, only the prefix (e.g., sk_live_abc...) is visible. If you lose your key, you’ll need to generate a new one and delete the old one.

Managing API keys

Creating a new key

Go to your dashboard
Click Generate API Key
Copy the full key (starts with sk_live_)
Store it securely

Deleting a key

To revoke an API key:

Go to your dashboard
Find the key by its prefix (e.g., sk_live_abc...)
Click Delete
Confirm deletion

Deleting a key immediately revokes access. Any requests using that key will return 401 Unauthorized.

Key rotation

Manual rotation is supported:

Generate a new API key
Update your applications with the new key
Verify the new key works
Delete the old key from the dashboard

This enables zero-downtime key rotation for production systems.

API key format

API keys follow this format:

Live keys: sk_live_ + random characters
Used for production and development (during beta)

Using API keys

Python SDK

Store your API key in an environment variable:

export METER_API_KEY="sk_live_your_key_here"

Initialize the client:

from meter_sdk import MeterClient
import os

# Recommended: Load from environment
client = MeterClient(api_key=os.getenv("METER_API_KEY"))

# Alternative: Direct initialization (not recommended for production)
client = MeterClient(api_key="sk_live_your_key_here")

REST API

Include your API key in the Authorization header using the Bearer scheme:

curl https://api.meter.sh/v1/strategies \
  -H "Authorization: Bearer sk_live_your_key_here" \
  -H "Content-Type: application/json"

Best practices

Use Environment Variables

Store API keys in environment variables, never in code

Rotate Keys Regularly

Generate new keys periodically and delete old ones

Use Secrets Management

Use tools like AWS Secrets Manager or HashiCorp Vault in production

Monitor Usage

Check your dashboard for unusual API activity

Storing API keys securely

Development

Use environment variables or a .env file (add to .gitignore):

.env

METER_API_KEY=sk_live_your_key_here

Load with python-dotenv:

from dotenv import load_dotenv
import os

load_dotenv()
api_key = os.getenv("METER_API_KEY")

Production

AWS
Docker
Kubernetes
Vercel/Netlify

Use AWS Secrets Manager or Systems Manager Parameter Store:

import boto3

def get_api_key():
    client = boto3.client('secretsmanager', region_name='us-east-1')
    response = client.get_secret_value(SecretId='meter-api-key')
    return response['SecretString']

Pass as an environment variable:

docker run -e METER_API_KEY=sk_live_xxx your-image

Or use Docker secrets (Swarm mode):

docker-compose.yml

services:
  app:
    image: your-image
    secrets:
      - meter_api_key

secrets:
  meter_api_key:
    external: true

Create a secret:

kubectl create secret generic meter-api-key \
  --from-literal=key=sk_live_xxx

Mount in your pod:

env:
  - name: METER_API_KEY
    valueFrom:
      secretKeyRef:
        name: meter-api-key
        key: key

Error responses

401 Unauthorized

Your API key is missing or invalid:

{
  "detail": "Invalid or missing API key"
}

Solutions:

Verify your API key is correct
Check that you’re including the Authorization header
Ensure the key hasn’t been deleted from the dashboard

403 Forbidden

Your API key doesn’t have permission for the requested resource:

{
  "detail": "You do not have permission to access this resource"
}

Solutions:

Verify you’re accessing your own resources
Check that the resource exists

Rate limits

Rate limits are not yet enforced during beta. Reasonable usage is expected. Production rate limits will be announced before enforcement.

Future rate limits will be based on:

Requests per minute
Strategies generated per day
Jobs executed per hour

Rate limit information will be included in response headers when implemented.

Security model

Meter follows security best practices for API key handling:

One-time display: Full keys are shown only once during creation
Prefix storage: Only the key prefix is stored and displayed after creation
Hashed storage: Full keys are hashed using bcrypt before storage
Immediate revocation: Deleted keys are invalidated instantly
Per-user isolation: API keys can only access resources belonging to the authenticated user

Need help?

Email me at [email protected]

Getting Started

Core Concepts

Authentication

Authentication

Getting your API key

Managing API keys

Creating a new key

Deleting a key

Key rotation

API key format

Using API keys

Python SDK

REST API

Best practices

Use Environment Variables

Rotate Keys Regularly

Use Secrets Management

Monitor Usage

Storing API keys securely

Development

Production

Error responses

401 Unauthorized

403 Forbidden

Rate limits

Security model

Need help?

Getting Started

Core Concepts

​Authentication

​Getting your API key

​Managing API keys

​Creating a new key

​Deleting a key

​Key rotation

​API key format

​Using API keys

​Python SDK

​REST API

​Best practices

Use Environment Variables

Rotate Keys Regularly

Use Secrets Management

Monitor Usage

​Storing API keys securely

​Development

​Production

​Error responses

​401 Unauthorized

​403 Forbidden

​Rate limits

​Security model

​Need help?

Authentication

Getting your API key

Managing API keys

Creating a new key

Deleting a key

Key rotation

API key format

Using API keys

Python SDK

REST API

Best practices

Storing API keys securely

Development

Production

Error responses

401 Unauthorized

403 Forbidden

Rate limits

Security model

Need help?