Make your auth docs the page developers never get stuck on
API key documentation is the first real thing a developer touches, and a confusing auth page kills integrations before they start. Good key docs answer four questions without ambiguity: where do I get the key, how do I send it, how do I keep it safe, and what are the limits. This builder produces all four — plus a copy-pasteable cURL example that matches the exact scheme you choose.
How it works
You pick an auth scheme and the tool generates a matching request example and a complete docs section:
Bearer: Authorization: Bearer <key>
Custom header: X-API-Key: <key>
Query string: ?api_key=<key> (discouraged — leaks in logs)
The cURL example is built from your base URL and chosen scheme so it is correct, not generic. The security section is filled in with the non-negotiables — store the key in an environment variable, never commit it, never ship it client-side — and the rate-limit section uses your numbers to explain the 429 behaviour. Everything is plain Markdown ready for a docs site.
The three auth schemes compared
Authorization: Bearer — the standard for RESTful APIs that follow OAuth2 conventions. Use this when your key is functionally a long-lived token. Compatible with most API clients and SDKs without special configuration.
Custom header (X-API-Key) — common for non-OAuth APIs. Slightly more explicit than Bearer about the fact that this is an API key rather than a user token. Requires any HTTP client to set a custom header, which all can do but some developer tools make slightly harder than standard Authorization headers.
Query string — the least preferred option. The key appears in the URL, which means it can be:
- Logged in server access logs
- Stored in browser history
- Captured in referrer headers when following a redirect
- Visible in analytics tools
Use query-string auth only when the calling environment cannot set HTTP headers (some webhook systems, very old clients). Always mark it as deprecated in your docs and provide a migration path.
What the generated docs include
- Where to get the key — link to your dashboard or API console with a sentence on what permission level is needed.
- How to send it — the exact header or parameter with a cURL example using a
YOUR_API_KEYplaceholder. - Security section — environment variable storage, no source-control commits, no client-side bundles, no logging.
- Test vs live keys — if your API uses prefixed keys (e.g.,
sk_test_vssk_live_), say so and explain what each can access. - What a failure looks like — document the 401 Unauthorized response body so developers can distinguish auth failures from network errors.
- Rate limits — the sustained limit, burst, window, and what a 429 response looks like.
- Rotation procedure — generate new key, update deployment, verify, revoke old key. Without this, a leaked key forces downtime.
Tips and example
Show the key in requests using a placeholder like YOUR_API_KEY, never a real-looking value — fake keys that look plausible confuse developers into trying to use them. Always document what a rejected key looks like so developers can tell auth failures apart from network problems immediately rather than filing a support ticket.