Authentication
Relay authenticates API requests with project API keys. Every request to https://api.relay.welbuiltai.tech/v1 is authorized with a key tied to a single project.
Key types
- Secret keys begin with
sk_. They grant full API access and must only ever be used server-side. Treat them like a password. - Publishable keys begin with
pk_. They identify the project but cannot mint tokens, so they are safe to reference where a project identifier is needed.
The Authorization header
Authenticate by sending your secret key as a Bearer token on every request:
Authorization: Bearer sk_live_...Test vs. live mode
Each project issues keys in two modes. Live keys (sk_live_) operate on real usage and billing; test keys (sk_test_) let you integrate without affecting your live metering. The prefix tells you which mode a key belongs to at a glance.
Creating and revoking keys
Manage keys under API Keys in the dashboard. A key's secret value is shown exactly once at creation — copy it then, because Relay never displays it again. If a key is leaked or no longer needed, revoke it from the same screen; revoked keys stop working immediately, and you can mint a replacement at any time.
Keep secret keys server-side
Never ship an sk_ key to a client.
Secret keys must never appear in browser JavaScript, mobile app binaries, or any code a user can inspect. Always mint tokens from your backend and send only the resulting short-lived token to the client. A leaked sk_ key can create tokens for any room in your project until it is revoked.