API Key Auth

API keys are project credentials in the form:

<publicId>:<secret>

Create and rotate keys in the dashboard.

REST

Send the key as HTTP Basic (recommended):

API_KEY="publicId:secret"
curl -X POST "https://rest.qpub.io/v1/channel/demo/messages" \
  -H "Authorization: Basic $(echo -n "$API_KEY" | base64)" \
  -H "Content-Type: application/json" \
  -d '{"messages":[{"data":{"text":"Hello"}}]}'

Or as a query parameter (less preferred — may appear in logs):

?api_key=<url-encoded publicId:secret>

Optional client identity:

X-Alias: my-server

WebSocket

Connect to wss://socket.qpub.io/v1 with:

?api_key=<url-encoded publicId:secret>

Optional: &alias=my-client.

SDK

import { QPub } from "@qpub/sdk";

const socket = new QPub.Socket({
  apiKey: process.env.QPUB_API_KEY,
  alias: "server-worker-1", // optional
});

const rest = new QPub.Rest({
  apiKey: process.env.QPUB_API_KEY,
});

The SDK sends Basic auth on REST and api_key on the WebSocket URL when no JWT is active.

Security

  • Use API keys only on trusted servers.
  • For browsers, use Token Auth.
  • Scope keys with permissions when creating them in the dashboard.
  • Rotate keys if a secret leaks.