Authentication
All Mockupanda API requests require authentication using an API key. This page explains how to create, manage, and use API keys securely.
API Keys
API keys are bearer tokens that authenticate your requests. Each key is tied to your account and can be created, revoked, or rotated at any time.
Creating an API Key
- Log in to your Mockupanda dashboard
- Navigate to Dashboard → API Keys
- Click "Create API Key"
- Give your key a descriptive name (e.g., "Production Server", "Dev Environment")
- Copy the generated key immediately — it won't be shown again
Key Properties
Each API key has:
- Name: A label to help you identify the key
- Key: The secret token (starts with
mpa_) - Created: When the key was generated
- Last Used: The most recent request timestamp
- Status: Active or Revoked
Using Your API Key
Include your API key in the Authorization header as a Bearer token:
curl -X POST https://mockupanda.com/api/v1/mockups/generate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"template_id": "bedroom-poster-01",
"artwork_url": "https://example.com/art.jpg"
}'Header Format
Authorization: Bearer mpa_abcd1234efgh5678ijkl9012mnop3456The Bearer prefix is required. Replace mpa_abcd... with your actual key.
Authentication Errors
401 Unauthorized - Missing API Key
{
"error": "Authorization header is required",
"code": "MISSING_API_KEY"
}Fix: Add the Authorization header with your API key.
401 Unauthorized - Invalid API Key
{
"error": "Invalid or revoked API key",
"code": "INVALID_API_KEY"
}Fix: Verify your key is correct and hasn't been revoked. Generate a new key if needed.
Security Best Practices
Keep Keys Secret
- Never commit API keys to version control
- Never expose keys in client-side code
- Never share keys publicly (GitHub, Stack Overflow, etc.)
Store keys in environment variables:
# .env file
MOCKUPANDA_API_KEY=mpa_abcd1234efgh5678ijkl9012mnop3456Rotate Keys Regularly
Rotate API keys every 90 days or when:
- A team member with access leaves
- You suspect a key has been compromised
- You're decommissioning a service that used the key
Use Separate Keys Per Environment
Create different keys for:
- Development - For local testing
- Staging - For pre-production environments
- Production - For live applications
This makes it easy to revoke a specific environment's access without affecting others.
Revoke Compromised Keys
If you suspect a key has been leaked:
- Go to Dashboard → API Keys
- Click "Revoke" next to the compromised key
- Generate a new key immediately
- Update your application with the new key
Revoked keys cannot be restored — you must create a new one.
Rate Limits
Each API key is subject to rate limits:
- 100 requests per minute per key
- 10,000 requests per day per key
Exceeding the rate limit returns a 429 Too Many Requests error:
{
"error": "Rate limit exceeded",
"code": "RATE_LIMIT_EXCEEDED",
"details": {
"limit": 100,
"window": "60s",
"retry_after": 23
}
}Wait for retry_after seconds before retrying. See Rate Limits for details.
Multiple API Keys
You can create multiple API keys for different use cases:
- Per-service keys - Separate keys for each microservice
- Per-client keys - Different keys for different customers (if you're a platform)
- Temporary keys - Short-lived keys for testing or demos
There's no limit on the number of active keys per account.
Monitoring Usage
Track your API usage in the Dashboard → API Keys page:
- Total requests made with each key
- Last used timestamp
- Credits consumed per key
This helps you identify which keys are active and how they're being used.
Testing Authentication
Test your API key with a simple request:
curl -X GET https://mockupanda.com/api/v1/templates \
-H "Authorization: Bearer YOUR_API_KEY"If authentication succeeds, you'll receive a list of available templates. If it fails, you'll get a 401 Unauthorized error.