Create and retrieve your API key
You create and manage OneSource API keys on the OneSource dashboard at app.onesource.io, under API Keys. Keys start with sk_.
Create a key (copy it now: it's shown only once)
- Sign in at app.onesource.io.
- Open API Keys and click Create new API key. Optionally name it (for example
productionorstaging). - The full
sk_...value is shown once, in a dialog, at creation time. Copy it then and store it somewhere safe.
After you close that dialog, the dashboard only ever shows a masked prefix (sk_xxxx…yyyy) for the key, never the full value again. There's no "reveal" button on the list and support can't recover the key for you. If you lose a key, you don't retrieve it: you create a replacement and delete the old one.
Manage your keys
The API Keys table lists every key on your account:
| Column | What it shows |
|---|---|
| Name | The label you gave the key (or default). |
| Key | The masked prefix (sk_xxxx…yyyy), enough to tell keys apart. |
| Created | When the key was created. |
| Last used | When the key last authenticated a request (or Never). |
| Enabled | A toggle to disable or re-enable the key without deleting it. |
| Remove | The trash icon permanently revokes the key. |
- Disable vs delete: switch the Enabled toggle off to suspend a key while keeping it on the account (useful for parking a key you might bring back); use the trash icon to revoke it for good.
- Revocation isn't instant. The API gateway caches successful key validations for up to ~30 seconds, so a disabled or deleted key can keep working for that long before it's rejected.
- Create as many keys as you like (one per environment is a common pattern). All keys on your account share the same plan rate limit and monthly quota, see Rate limits and quotas.
Store it in your application
A few patterns that work well:
- Server-side workloads: set
ONESOURCE_API_KEYas an environment variable in your hosting platform (Vercel, Fly.io, Railway, Heroku config vars; ECS task definition; Kubernetes secret). - Local development: copy the key into a
.envfile (and add.envto.gitignore). - CI: store the key as a masked CI secret and inject as an environment variable at build time.
Treat the key like any other production secret. Don't commit it to source control, and don't log it.
Node.js
const apiKey = process.env.ONESOURCE_API_KEY;
if (!apiKey) throw new Error('ONESOURCE_API_KEY is not set');
const res = await fetch('https://api.onesource.io/api/chain/network-info', {
headers: { Authorization: `Bearer ${apiKey}` },
});
Python
import os, httpx
api_key = os.environ['ONESOURCE_API_KEY']
resp = httpx.get(
'https://api.onesource.io/api/chain/network-info',
headers={'Authorization': f'Bearer {api_key}'},
)
Replacing a key
There's no in-place "rotate" button, and you can't see an existing key's full value again, so rolling a key over means creating a new one and cutting traffic across before removing the old one:
- On the dashboard, click Create new API key and copy the new
sk_*value into your secret store. - Deploy your application with the new key and confirm it's serving traffic.
- Optionally switch the old key's Enabled toggle off first: if nothing breaks within a minute or so, you've confirmed nothing still depends on it.
- Once the new key is live, delete the old key from the dashboard.
If a key is exposed, don't wait to test: delete (or at least disable) the compromised key immediately, then create and deploy a replacement.