Authentication
Publishable keys, domain restrictions, and security best practices
API Key Types
The Logo API supports two key types:
| Key Type | Prefix | Use In | Auth Method | Max Logo Size |
|---|---|---|---|---|
| Publishable | pk_ or qt_ | Browsers, mobile apps, client-side code | ?token= query param | 800px |
| Secret | sk_ | Server-side only (Node.js, API routes) | Authorization: Bearer header | 1200px |
pk_live_1234567890abcdef ← publishable (client-safe)
sk_live_abcdef1234567890 ← secret (server-side only)Client-Safe (pk_)
Publishable keys for browsers and mobile apps. Passed as a query parameter.
Server-Side (sk_)
Secret keys for backend use. Sent via Authorization header. Supports batch operations and higher resolution.
CORS Friendly
Works cross-origin; Origin is validated when domain restrictions are enabled.
Attribution-Aware
Free tier requires attribution and is enforced at the edge.
Never expose secret keys
Secret keys (sk_*) must never appear in client-side code, public repositories, or browser network requests. Use them only in server-side environments.
Getting a Key
- Sign in to the customer portal.
- Open API Keys.
- Create or copy a publishable key (
pk_*). - (Optional) Add domain restrictions.
Keys can be rotated or revoked in the portal. There is no public secret-key API for key management.
Using Your Key
Publishable Keys (Client-Side)
Pass the key as a token query parameter:
<img
src="https://logos.getquikturn.io/apple.com?token=pk_your_key"
alt="Apple logo"
/>const apiKey = process.env.LOGO_API_KEY; // pk_*
const domain = 'apple.com';
const res = await fetch(`https://logos.getquikturn.io/${domain}?token=${apiKey}`);import os, requests
api_key = os.getenv("LOGO_API_KEY") # pk_*
domain = "apple.com"
res = requests.get(f"https://logos.getquikturn.io/{domain}?token={api_key}")
res.raise_for_status()import { QuikturnLogos } from "@quikturn/logos/client";
const client = new QuikturnLogos({ token: "pk_live_xxx" });
const { url } = await client.get("apple.com");Secret Keys (Server-Side)
Secret keys use the Authorization: Bearer header and are only available in the server SDK:
import { QuikturnLogos } from "@quikturn/logos/server";
const client = new QuikturnLogos({
secretKey: process.env.QT_SECRET_KEY!, // sk_*
});
const { buffer } = await client.get("apple.com", { size: 1200 });Secret keys unlock:
- Higher resolution logos (up to 1200px vs 800px)
- Batch operations via
client.getMany() - Streaming via
client.getStream() - Authorization header authentication (token not in URL)
Domain Restrictions
You can bind a key to specific domains. When enabled, the worker validates Origin (preferred) or Referer against your allowlist.
Adding Allowed Domains
- In API Keys, edit the key and add allowed domains (one per line):
example.com app.example.com *.example.com - Save changes and redeploy your app with the same key.
Requests without a matching Origin/Referer will receive 403 Domain not allowed.
Matching Rules
- Exact hostnames are matched (e.g.,
example.com). - Wildcards (
*.example.com) match any subdomain on that root. - Local development should include the host and port (e.g.,
localhost:3000).
Security Best Practices
- Store keys in environment variables; never hardcode production keys.
- Rotate keys periodically; update your app before revoking the old key.
- Keep separate keys per environment (dev, staging, production).
- Monitor usage and attribution status in the portal; Free keys must maintain attribution to avoid 403s.
Troubleshooting
- 401 Unauthorized: Missing
token, token not starting withpk_, or revoked key. - 403 Forbidden: Domain restrictions failed or attribution required for Free tier.
- 429 Too Many Requests: Per-minute rate limit reached; respect
Retry-After.
Need more? Check Rate Limits, Errors, and SDK Documentation.