The Feather API uses API keys to authenticate requests. Your API keys carry many privileges, so be sure to keep them secure and never share them in publicly accessible areas.
Getting Your API Key
Log in to your Feather Dashboard
Navigate to Settings → API Keys
Click Generate New Key
Copy your API key and store it securely
API keys are only shown once during creation. Make sure to copy and store your key in a secure location immediately.
Include your API key in the X-API-Key header:
const API_KEY = process . env . FEATHER_API_KEY ; const response = await fetch ( 'https://prod.featherhq.com/api/v1/agents' , { headers: { 'X-API-Key' : ` ${ API_KEY } ` , 'Content-Type' : 'application/json' } });
Security Best Practices Key Management Service (KMS) For production environments, the most secure approach is to store API keys in a Key Management Service (KMS). KMS solutions provide:
Encryption at rest - Keys are encrypted when storedAccess control - Fine-grained permissions for who can access keysAudit logging - Track all key access and usageAutomatic rotation - Scheduled key rotation without code changesSecrets versioning - Maintain multiple versions of keys
AWS Secrets Manager AWS (Node.js)
AWS (Python)
import { SecretsManagerClient , GetSecretValueCommand } from "@aws-sdk/client-secrets-manager" ; const client = new SecretsManagerClient ({ region: "us-east-1" }); async function getFeatherApiKey () { const command = new GetSecretValueCommand ({ SecretId: "feather/api-key" }); const response = await client . send ( command ); return response . SecretString ; } // Use in your application const FEATHER_API_KEY = await getFeatherApiKey (); const response = await fetch ( 'https://prod.featherhq.com/api/v1/agents' , { headers: { 'X-API-Key' : FEATHER_API_KEY , 'Content-Type' : 'application/json' } });
Google Cloud Secret Manager GCP (Node.js)
GCP (Python)
import { SecretManagerServiceClient } from '@google-cloud/secret-manager' ; const client = new SecretManagerServiceClient (); async function getFeatherApiKey () { const name = 'projects/YOUR_PROJECT_ID/secrets/feather-api-key/versions/latest' ; const [ version ] = await client . accessSecretVersion ({ name }); return version . payload . data . toString (); } // Use in your application const FEATHER_API_KEY = await getFeatherApiKey ();
Azure Key Vault Azure (Node.js)
Azure (Python)
import { SecretClient } from "@azure/keyvault-secrets" ; import { DefaultAzureCredential } from "@azure/identity" ; const vaultName = "your-vault-name" ; const url = `https:// ${ vaultName } .vault.azure.net` ; const credential = new DefaultAzureCredential (); const client = new SecretClient ( url , credential ); async function getFeatherApiKey () { const secret = await client . getSecret ( "feather-api-key" ); return secret . value ; } // Use in your application const FEATHER_API_KEY = await getFeatherApiKey ();
HashiCorp Vault Vault (Node.js)
Vault (Python)
import vault from 'node-vault' ; const client = vault ({ endpoint: 'http://vault.example.com:8200' , token: process . env . VAULT_TOKEN }); async function getFeatherApiKey () { const result = await client . read ( 'secret/data/feather' ); return result . data . data . api_key ; } // Use in your application const FEATHER_API_KEY = await getFeatherApiKey ();
Benefits of KMS:
No API keys stored in code or configuration files
Centralized secret management across services
Automatic encryption and decryption
Integration with cloud IAM for access control
Audit trails for compliance requirements
Environment Variables For development and testing, environment variables are acceptable:
# .env file FEATHER_API_KEY = your_api_key_here Key Rotation
Rotate your API keys regularly (recommended: every 90 days)
Immediately rotate keys if they may have been compromised
Use separate keys for development and production environments
Access Control
Only give API keys to team members who need them
Use separate keys for different applications or services
Monitor API key usage in the dashboard
Rate Limits Feather API has the following rate limits:
Standard Plan : 10 RPSEnterprise : Custom limits available
When you exceed the rate limit, you’ll receive a 429 Too Many Requests response.
Error Codes Status Code Description 401Invalid or missing API key 403API key doesn’t have required permissions 429Rate limit exceeded
Next Steps 
