Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kodisc.com/llms.txt

Use this file to discover all available pages before exploring further.

Every request to /api/v2/* is authenticated with an API key sent as an HTTP Bearer token. 
Authorization: Bearer kdsc_live_<48 hex chars>
Requests without a valid Authorization header — or with a key that’s been revoked — get a 401 Unauthorized.

Key format

Kodisc API keys look like: 
kdsc_live_9c1d3f2e8b6a4d7c0f5e2a1b8c4d7e9f6a3b1c0d8e5f2a4b
  • Prefix kdsc_live_ marks the key as a live API credential.
  • The remaining 48 characters are random hex.
  • The first 16 characters (e.g. kdsc_live_9c1d) are the display prefix — safe to log, show in your dashboard, and refer to in support tickets. The full key is not safe to log.

Creating a key

  1. Open the developer dashboard.
  2. Click New key, name it something you’ll recognize later (e.g. prod-render-worker).
  3. Optionally set a default webhook URL — every job created with this key will deliver to that URL unless overridden per-request (see Webhooks).
  4. Copy the full key. It is shown exactly once. If you lose it, revoke the key and issue a new one.
When you create a key, Kodisc also generates a webhook signing secret (whsec_…). It never appears in any API response and is unique to that key — see verifying signatures.
Store keys in a secret manager. Never commit them to git, ship them in a frontend bundle, or paste them into shared documents. The full plaintext is only retrievable at creation time — Kodisc only ever stores a SHA-256 hash.

Using a key

Send the key in the Authorization header on every request: 
curl https://kodisc.com/api/v2/me \
  -H "Authorization: Bearer $KODISC_KEY"
Tip: hit GET /api/v2/me right after wiring up auth — it confirms the key is valid and returns your live credit balance.

Rotating the webhook secret

If you suspect your webhook signing secret has leaked, rotate it from the developer dashboard. The old secret is invalidated immediately; subsequent webhook deliveries are signed with the new one. The API key itself is unaffected.

Revoking a key

Revoke any key from the developer dashboard. Revocation is immediate — the next request with that key returns 401. There is no undo; create a new key if you change your mind. Best practice: keep at least two keys in production (e.g. one per worker pool) so you can rotate without downtime.