Suspending your key
In your account dashboard you can suspend your key at any time and
replace it with a new key.
Multiple keys per account
Free-trial accounts are limited to one key at a time, but paying customers
can have multiple keys. These can be created (or suspended) anytime in
your account dashboard.
Can I publish my key publicly?
Technically, yes, of course you can. A common example is client-side
anyone who looks in the source code can grab your key.
A better approach
is to have your client-side code call
server-side code (be it hosted on your servers, or on a serverless
framework (we have
for many), this way you have full control over what is happening and your
key is not publicly visible.
Please do NOT put your key in GitHub
Please do not check your key into GitHub or other public version control
service. A better approach is to have your code access the key via an
environment variable or command line parameter that is set at the time the
software is run. The best way to do this will depend on exactly which
platform you are running on and which technology you are using, but
we strongly encourage you to spend a few minutes learning whatever the
best practices are for your stack.
Here are some examples of software for managing keys
You can use automated code quality tools like
to define a policy of
not allowing secret credentials into source code
with automated checks at each code commit.
What happens if someone "steals" my key?
If you believe someone is abusing your key please get in touch with us.
One worry that potential clients sometimes raise is that someone will
get their key and start using it heavily and they will face a large and
unexpected bill. Fear not - that can't happen because of how our pricing
works. Customers buy a month in advance, and there is no usage based
charging. If we see an explosion of usage we email you and ask if it is
expected and the source is known. If yes, and it will be ongoing, we
ask you to move to a higher pricing tier in the future, but this never
happens as a surprise. If no, we can help you work out what is going on.
Paying customers can add IP address restriction to their API keys.
Any API request that comes from a non-allowed IP address will then
403 - Forbidden
status code as the response for all requests.
This can be configured in your account dashboard.
We do not support IP restriciton for free trial accounts, as,
by definiton, the free-trial is meant just for testing.
Cross-origin resource sharing (CORS) HTTP header
By default all API responses return the HTTP header
which specifies that all cross-origin requests are allowed.
Paying customers can define a domain to limit cross-origin requests to
in their account dashboards. Please see the
details in the API documentation
Securing your account in general
You can set up two-factor authentication on your account
the blog post where we announced this
and we recommend you do so.
We should also note that we (OpenCage) have no access to your payment
details, that is all stored in Stripe, our payment processor.
Questions or concerns?
if anything is unclear. We are here to help.