Skip to main content

Authentication & rate limiting

API key authentication

Business API routes under /v1/biz are protected with an API‑key–based middleware (APIKeyAuth) that verifies requests using a hashed key and encrypted digest stored in the developer_app_details (or equivalent) table. Send your key using the X-D3-API-Key header: 
curl -X GET https://api.dragdropdo.com/v1/biz/status/task_abc123 \
  -H "X-D3-API-Key: d3_live_xxx"
Under the hood the middleware:
  1. Looks up the stored record by API key prefix or mapping.
  2. Decrypts the stored digest using AES.
  3. Recomputes the hash using (digest + provided_api_key).
  4. Compares it with the stored hash and verifies ExpireAt / IsActive.
If the key is invalid or expired, the request is rejected with an authentication error. API keys themselves are generated via: 
curl -X POST https://api.dragdropdo.com/v1/developer/generate-api-key \
  -H "Authorization: Bearer your-user-jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My SaaS backend",
    "webhook_url": "https://example.com/webhooks/d3",
    "webhook_secret": "",
    "region": "us-east-1"
  }'
See Developer API → API keys in your product documentation for more detail.

Rate limiting

The Business API uses a token‑bucket rate limiter backed by Redis:
  • Each API key has an associated rate limit (e.g. 1000/m).
  • Tokens are periodically refilled in Redis.
  • Each request consumes one or more tokens.
  • If there are not enough tokens, the request is rejected with a 429 status.
Typical HTTP response on limit exceeded: 
{
  "error": "rate_limit_exceeded",
  "message": "Too many requests. Please try again later."
}
Your effective limits and quotas are visible in the D3 dashboard / developer portal.