API keys go through a multi-layer security process:
- At creation, the raw key is shown once and never stored. Only a SHA-256 hash is persisted.
- The key prefix (first 8 characters) is stored for identification in logs and the dashboard.
- At the edge, the Cloudflare Worker authenticates the key via KV lookup, verifies the hash, and strips the raw key from the request before forwarding to the backend.
- The Fly.io API server never sees the raw API key. It receives HMAC-signed headers with the developer ID, key ID, tier, and org scope.
If a key is compromised, revoke it immediately from the dashboard. A new key can be created in seconds.