Authentication
Overview
Here's how to talk to RndrKit programmatically. Every API request (except the webhook refresh endpoint) is authenticated with an API key sent in a request header.
API Keys
API keys are available on Agency plans and above. You can create up to 5 keys per account.
Creating a Key
- Go to Dashboard > Settings > API Keys.
- Click Create API Key and give it a name (e.g., "CI/CD Pipeline").
- Copy the key immediately -- it is only shown once.
Keys follow this format:
rk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The key is SHA-256 hashed before storage, so we never store your raw key.
Using Your API Key
Pass the key in the X-Api-Key header on every request:
curl https://rndrkit.io/api/domains \
-H "X-Api-Key: rk_live_your_key_here"
const response = await fetch("https://rndrkit.io/api/domains", {
headers: {
"X-Api-Key": "rk_live_your_key_here",
},
});
Key Management
- Keys can be revoked at any time from the dashboard.
last_used_atis tracked automatically so you can see which keys are active.- Expired keys are rejected automatically.
Webhook Tokens
Webhook tokens are a separate auth mechanism for the Webhook Refresh API. They are available on Agency+ plans only.
Tokens follow this format:
rk_wh_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
You can create up to 5 tokens per domain from Dashboard > Domain > Cache tab > Webhook Tokens.
Webhook requests use the Authorization header with a Bearer token:
curl -X POST https://rndrkit.io/api/webhook/refresh \
-H "Authorization: Bearer rk_wh_your_token_here" \
-H "Content-Type: application/json" \
-d '{"urls": ["/", "/blog/new-post"]}'
Error Responses
| Status | Meaning |
|---|---|
401 | Missing or invalid API key / webhook token |
403 | Plan does not support this feature, or subscription limit reached |
429 | Rate limit exceeded (webhook endpoint only -- 10 requests/hour per domain) |
500 | Server error during authentication |
Example 401 Responses
// Missing X-Api-Key header
{ "error": "API key required" }
// Key present but invalid or revoked
{ "error": "Invalid API key" }
Example 403 Response
{
"error": "Site limit reached for your subscription plan",
"current": 3,
"allowed": 3
}
Rate Limiting
RndrKit does not rate-limit by requests per second. Instead, usage is tracked against your monthly render quota. When a domain reaches 120% of its monthly_render_limit, new cache misses are proxied directly to origin instead of being rendered.
Cache hits are always served regardless of quota.
Quick Reference
| Auth Type | Header | Format | Plans | Limit |
|---|---|---|---|---|
| API Key | X-Api-Key | rk_live_* | Agency+ | 5 per account |
| Webhook Token | Authorization: Bearer | rk_wh_* | Agency+ | 5 per domain |