API Authentication
Votito APIs use API keys for authentication. API keys identify your tenant and authorize access to your surveys.
Creating an API Key
- Sign in to your Votito account
- Navigate to Account Settings → API Keys
- Click “Create API Key” and provide a descriptive name
- Copy the key immediately - it will only be shown once
Using Your API Key
Include your API key in the X-API-Key header:
curl -X GET "https://api.votito.com/tenant/whoami" \
-H "X-API-Key: vtt_your_api_key_here"
Security Best Practices
Keep Keys Secret
- Never expose API keys in client-side code
- Never commit API keys to version control
- Use environment variables for key storage
Use Separate Keys for Environments
Create separate API keys for development, staging, and production:
Production API Key- for live integrationsDevelopment API Key- for testing and developmentCI/CD API Key- for automated testing
Rotate Keys Regularly
Periodically create new keys and revoke old ones to limit exposure from potential leaks.
Revoke Compromised Keys
If a key may have been exposed:
- Go to API Keys
- Revoke the compromised key immediately
- Create a new key
- Update your applications
Rate Limits
API keys are subject to rate limiting to ensure fair usage:
- 100 requests per second per key
- 10,000 requests per hour per key
Exceeding these limits returns HTTP 429 (Too Many Requests).
API Key Limits
Each account can have up to 4 active API keys. To create additional keys, revoke unused keys first.
Verifying Your Setup
Test your API key with the whoami endpoint:
curl -X GET "https://api.votito.com/tenant/whoami" \
-H "X-API-Key: vtt_your_api_key_here"
Response:
{
"apiKeyId": "abc123"
}
Error Responses
| Status | Error | Description |
|---|---|---|
| 401 | Unauthorized | Missing or invalid API key |
| 403 | Forbidden | API key does not have access to this resource |
| 429 | Too Many Requests | Rate limit exceeded |