Authentication
Every /api/v1/* request needs an API key in the Authorization header. Public-demo endpoints (/api/analyze) are rate-limited by IP and don't require a key.
Bearer tokens
Pass your key as a bearer token. Keys start with rdr_live_ and carry 128 bits of entropy.
Authorization: Bearer rdr_live_k_oZWWMEhiKHmuUdzh28Qg
Minting a key
Sign in at /dashboard with Privy (email, wallet, or social login). Click Mint free key. The raw token appears once — copy it into your password manager or your .env file.
During the public preview every self-serve key is on the free tier: 60 requests per minute, 10k per month. Higher limits are available out-of-band — email support@oxar.app.
Rotation & revocation
You can mint as many keys as you need and revoke any one of them from the dashboard. Revoked keys start returning 401 invalid_api_key immediately — there's no grace period, so rotate clients before you click revoke.
Storing keys safely
Treat Radar keys like any third-party API credential.
- Never commit them to git, even in private repos.
- Don't paste them into client-side bundles or browser extensions.
- Server-side only: keep them in
.envfiles and platform secret stores (Vercel, Railway, Doppler, 1Password CLI). - If you suspect a leak, revoke and rotate.