Allscreenshots
Start for free
Getting started

Authentication

Learn how to authenticate your API requests

Authentication

All API requests require authentication using an API key. This page explains how to create and use API keys.

Creating an API key

  1. Sign in to the AllScreenshots dashboard
  2. Navigate to API Keys in the sidebar
  3. Click Create API Key
  4. Give your key a descriptive name (e.g., "Production", "Development")
  5. Copy the key immediately—it won't be shown again

API keys are displayed only once when created. If you lose a key, you'll need to create a new one.

Using your API key

Include your API key in the X-API-Key header:

curl -X POST "https://api.allscreenshots.com/v1/screenshots" \
    -H "X-API-Key: ask_abc123..." \
    -H "Content-Type: application/json" \
    -d '{"url": "https://example.com"}' \
    --output screenshot.png

Key prefixes

All API keys created in the dashboard start with ask_, short for AllScreenshots Key.

The dashboard shows the full key only once, when you create it. After that, only the first 12 characters are shown for identification.

Security best practices

Never expose your API key in client-side code, public repositories, or browser requests.

Follow these practices to keep your keys secure:

Use environment variables

Store keys in environment variables, not in code:

# .env file (never commit this)
ALLSCREENSHOTS_API_KEY=ask_abc123...
// Access via environment variable
const apiKey = process.env.ALLSCREENSHOTS_API_KEY;

Use server-side requests only

Always make API calls from your server, never from the browser:

// Good: Server-side API route
app.post('/api/screenshot', async (req, res) => {
  const response = await fetch('https://api.allscreenshots.com/v1/screenshots', {
    method: 'POST',
    headers: {
      'X-API-Key': process.env.ALLSCREENSHOTS_API_KEY,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({ url: req.body.url }),
  });
  // ...
});

Rotate keys regularly

Periodically create new keys and delete old ones, especially if:

  • A team member leaves your organization
  • You suspect a key may have been exposed
  • You haven't rotated keys in several months

Use separate keys for environments

Create different keys for development, staging, and production:

  • Easier to track usage per environment
  • Limits blast radius if a key is compromised
  • Allows different rate limits per environment

Managing API keys

From your dashboard, you can:

  • View all keys: See key names and creation dates
  • Delete keys: Revoke access immediately
  • Track usage: Monitor requests per key (coming soon)

Error responses

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "error": "unauthorized",
  "message": "Invalid or missing API key"
}

Common causes:

  • Missing X-API-Key header
  • Invalid or revoked API key
  • Key from wrong organization

Rate limits

API keys are subject to rate limits based on your plan. See Rate limits for details.

Quickstart

Capture your first screenshot in under 5 minutes

Rate limits

Understand API rate limits and quotas

On this page

AuthenticationCreating an API keyUsing your API keyKey prefixesSecurity best practicesUse environment variablesUse server-side requests onlyRotate keys regularlyUse separate keys for environmentsManaging API keysError responsesRate limits