API Key Management
API keys authenticate your game’s requests to Quest Data. Manage keys per game and rotate them regularly to maintain security.
Key Types
Section titled “Key Types”| Type | Tier | Count | Rotation | Use |
|---|---|---|---|---|
| Game Key | All | 1 | Manual | Primary key in shipped game |
| Dev Key | Free | 1 | Manual | Local development |
| Env Keys | Pro+ | 3 | Auto | dev/staging/prod separation |
Viewing Keys
Section titled “Viewing Keys”- Go to Configuration > API Keys
- Or from game detail: Game > Settings > API Keys
Each key shows:
- Key Value:
qd_sk_a1b2c3d4e5...(masked after creation) - Environment: Production, Staging, Dev (if applicable)
- Created: Date key was generated
- Last Used: Most recent request timestamp
- Status: Active or Revoked
Rotating Keys
Section titled “Rotating Keys”Never hardcode keys permanently. Rotate regularly:
- Click Generate New Key to create a replacement
- Update your game/server to use new key
- After 24 hours, click Revoke on old key
- Revoked keys stop accepting requests
Timing matters:
- Generate new key
- Deploy update with new key
- Wait for 90% of players to update (typical: 2-4 weeks)
- Then revoke old key
Security Best Practices
Section titled “Security Best Practices”| Practice | Why |
|---|---|
| Rotate Annually | Limit exposure window if compromised |
| Dev ≠ Prod | Dev key can be public; prod key is secret |
| Monitor Activity | Check “Last Used” timestamp for anomalies |
| Don’t Commit Keys | Use environment variables, not hardcoded |
For Godot Games
Section titled “For Godot Games”# Don't do this:const API_KEY = "qd_sk_a1b2c3d4e5" # BAD!
# Do this instead:func _ready(): var api_key = ProjectSettings.get_setting("quest_data/api_key") QuestData.set_api_key(api_key)In Project > Project Settings > Quest Data:
api_key: qd_sk_a1b2c3d4e5api_url: https://api.questdata.ioFree vs Pro Tier Limits
Section titled “Free vs Pro Tier Limits”| Feature | Free | Pro |
|---|---|---|
| Game Keys | 1 | Unlimited per game |
| Env Keys | No | 3 per game (dev/staging/prod) |
| Key Rotation | Manual | Auto-rotate every 90 days |
| Access Logs | Last 7 days | Last 90 days |
| Rate Limit | 100 req/min | 10,000 req/min |
API Reference
Section titled “API Reference”# List keys for a gamecurl "https://api.questdata.io/v1/games/my-game-id/keys" \ -H "Authorization: Bearer YOUR_JWT"
# Create new keycurl -X POST "https://api.questdata.io/v1/games/my-game-id/keys" \ -H "Authorization: Bearer YOUR_JWT" \ -H "Content-Type: application/json" \ -d '{"environment": "production"}'
# Revoke keycurl -X DELETE "https://api.questdata.io/v1/games/my-game-id/keys/qd_sk_xyz" \ -H "Authorization: Bearer YOUR_JWT"Response (Create Key):
{ "id": "qd_sk_a1b2c3d4e5f6g7h8i9j0", "environment": "production", "created_at": "2026-04-06T10:30:00Z", "last_used": null}