API Authentication
Authenticate with the CallMeter API using API keys, manage key lifecycle, and follow security best practices.
The CallMeter API provides programmatic access to your organization's testing infrastructure. All API requests must be authenticated using an API key. This guide covers key creation, usage, scoping, rotation, and security practices.
API Key Format
CallMeter API keys use the cmk_ prefix followed by a cryptographically random string:
cmk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6The cmk_ prefix makes it easy to identify CallMeter keys in your codebase, CI/CD configurations, and secret management systems. It also enables automated scanning tools to detect accidentally committed keys.
Keys are shown once
When you create an API key, the full key value is displayed only once. Copy it immediately and store it securely. CallMeter stores only a hashed version of the key and cannot retrieve the original value.
Creating an API Key
Only members with the Editor, Admin, or Owner role can create API keys.
- Open your project in CallMeter, then click API Keys in the left sidebar
- Click Generate New Key
- Enter a descriptive name for the key (e.g., "CI/CD Pipeline", "Monitoring Script", "Staging Tests")
- Review the permissions summary -- the key inherits your current role's permissions
- Click Create
- Copy the key immediately -- it will not be shown again
- Store the key in a secure location (environment variable, secrets manager, CI/CD vault)
Key Naming Best Practices
Use descriptive names that identify the purpose and context of each key:
github-actions-production-- For production deployment pipelinegitlab-ci-staging-- For staging environment testsmonitoring-cron-job-- For scheduled monitoring scriptsdev-local-testing-- For development machine API access
Clear naming makes it easy to identify which key to revoke when a system is decommissioned or a team member leaves.
Key Scoping and Permissions
API keys inherit the permissions of the user who created them at the time of creation.
| Creator Role | Key Can Do |
|---|---|
| Editor | Create/edit/delete tests, probes, registrars, files; run tests; read all data |
| Admin | Everything Editor can do, plus manage members and settings |
| Owner | Full API access including billing operations |
A key created by a Tester can trigger test runs and read results but cannot create or modify test configurations. A key created by an Editor can create and manage resources but cannot invite members or access billing.
Key permissions are fixed at creation time
If the creating user's role changes after the key is generated, the key retains the permissions it had at creation. Downgrading a user's role does not automatically limit their existing API keys. Revoke and recreate keys when role changes occur.
Organization Scope
API keys are scoped to the organization of the creating user. A key can only access resources within that organization. If you belong to multiple organizations, create separate keys for each.
Using API Keys in Requests
Include the API key in the Authorization header using the Bearer token scheme.
HTTP Header Format
Authorization: Bearer cmk_your_api_key_hereExample: List Projects
curl -s \
-H "Authorization: Bearer $CALLMETER_API_KEY" \
https://callmeter.io/api/v1/projectsExample: Trigger a Test Run
curl -s -X POST \
-H "Authorization: Bearer $CALLMETER_API_KEY" \
https://callmeter.io/api/v1/projects/{projectId}/tests/{testId}/runExample: Get Test Run Results
curl -s \
-H "Authorization: Bearer $CALLMETER_API_KEY" \
https://callmeter.io/api/v1/projects/{projectId}/test-runs/{testRunId}Example: Get Test Run Endpoints
curl -s \
-H "Authorization: Bearer $CALLMETER_API_KEY" \
https://callmeter.io/api/v1/projects/{projectId}/test-runs/{testRunId}/endpointsAuthentication Errors
The API returns standard HTTP status codes for authentication failures:
| Status Code | Meaning | Resolution |
|---|---|---|
401 Unauthorized | Missing or invalid API key | Check that the key is included in the Authorization header and is correctly formatted |
403 Forbidden | Valid key but insufficient permissions | The key's creator role does not have permission for this operation |
429 Too Many Requests | Rate limit exceeded | Back off and retry after the period indicated in the Retry-After header |
Common Mistakes
Missing Bearer prefix:
# Wrong -- missing "Bearer"
curl -H "Authorization: cmk_abc123..." https://callmeter.io/api/v1/projects
# Correct
curl -H "Authorization: Bearer cmk_abc123..." https://callmeter.io/api/v1/projectsUsing the wrong header name:
# Wrong -- X-API-Key is not supported
curl -H "X-API-Key: cmk_abc123..." https://callmeter.io/api/v1/projects
# Correct -- use Authorization header
curl -H "Authorization: Bearer cmk_abc123..." https://callmeter.io/api/v1/projectsRate Limits
API requests are rate-limited to protect the platform and ensure fair usage. Rate limits are applied per API key.
| Plan | Rate Limit |
|---|---|
| Free | Conservative |
| Starter | Standard |
| Pro | Higher |
| Business | High |
| Enterprise | Custom |
When you exceed the rate limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait before retrying. Implement exponential backoff in your automation scripts to handle rate limiting gracefully.
Key Rotation
Regularly rotating API keys is a security best practice. To rotate a key:
- Create a new API key with the same permissions
- Update all systems using the old key to use the new key
- Verify that all systems work with the new key
- Revoke the old key
Zero-downtime rotation
Create the new key before revoking the old one. This ensures uninterrupted API access during the transition. Both keys work simultaneously until you revoke the old one.
Recommended Rotation Schedule
| Context | Rotation Frequency |
|---|---|
| Production CI/CD | Every 90 days |
| Development / staging | Every 180 days |
| Personal scripts | Every 90 days |
| Shared team keys | Every 30 days |
| After team member departure | Immediately |
Revoking API Keys
Revoke a key when it is no longer needed, may be compromised, or belongs to a former team member.
- Open your project in CallMeter, then click API Keys in the left sidebar
- Find the key to revoke (identified by its name and creation date)
- Click Revoke
- Confirm the revocation
Revoked keys stop working immediately. Any API requests using the revoked key will receive 401 Unauthorized responses. Revocation cannot be undone -- if you need the same access, create a new key.
When to Revoke Keys Immediately
- A team member with API key access leaves the organization
- A key is accidentally committed to a public repository
- You detect unexpected API activity in your audit logs
- A CI/CD system using the key is decommissioned
Security Best Practices
Store Keys Securely
- Environment variables --
export CALLMETER_API_KEY=cmk_...in your shell profile or CI/CD secrets - Secret managers -- AWS Secrets Manager, HashiCorp Vault, Google Secret Manager
- CI/CD vaults -- GitHub Secrets, GitLab CI Variables, Azure Key Vault
Never Commit Keys to Version Control
Add patterns to your .gitignore to prevent accidental commits:
# Environment files that may contain API keys
.env
.env.local
.env.productionUse secret scanning tools (GitHub secret scanning, GitGuardian, TruffleHog) to detect accidentally committed keys.
Use Separate Keys per Environment
Maintain different API keys for different environments:
- One key for production CI/CD
- One key for staging CI/CD
- One key for local development
- One key for monitoring scripts
This limits the blast radius if any single key is compromised and makes it easier to rotate keys for specific systems.
Audit Key Usage
Periodically review your active API keys:
- Open your project in CallMeter, then click API Keys in the left sidebar
- Review the list of active keys
- Check the last used date for each key
- Revoke keys that have not been used recently
- Verify that key names still match their actual usage
Next Steps
- API Endpoints -- Available API operations
- CI/CD Integration -- Use API keys in deployment pipelines
- Roles and Permissions -- Understand how roles affect key permissions
API Quick Start
Get up and running with the CallMeter REST API in under 5 minutes. Create an API key, make your first call, and explore the interactive reference.
API Reference
Complete REST API endpoint reference for CallMeter, including authentication, resource operations, request/response formats, pagination, and rate limits.