Skip to main content

Overview

API keys are essential for authenticating requests to the Perplexity API. This guide covers how to create, manage, and rotate your API keys using our authentication token management endpoints.
API keys are shown only once. When you create an API key — through the console or programmatically — the full token is returned at that moment and cannot be retrieved again. Save it immediately to a secure location before closing the page or response.
API keys should be treated as sensitive credentials. Store them securely and never expose them in client-side code or public repositories.

Getting Started: Create Your API Group First

Important Prerequisites: Before you can generate any API keys, you must first create an API group through the Perplexity web interface.
1

Create an API Group

Navigate to the API Groups page and create your first group:Create API Group →API groups help organize your keys and manage access across different projects or environments.
Choose a descriptive name for your API group (e.g., “Production”, “Development”, or your project name) to help with organization.
2

Generate Your API Keys

Once you have an API group, navigate to the API Keys page to generate your first key:Generate API Keys →You can create multiple keys within each group for different purposes or environments. The full key value is displayed once at creation — copy it before leaving the page.
After creating your first API key through the web interface, you can use the programmatic endpoints below to generate and manage additional keys.

Key Management Endpoints

Perplexity provides two endpoints for managing API keys programmatically:
  • /generate_auth_token - Creates a new API key
  • /revoke_auth_token - Revokes an existing API key
Once an API key is revoked, it cannot be recovered. Make sure to update your applications with new keys before revoking old ones.

Generating API Keys

Create new API keys programmatically. Always provide a descriptive token_name — once a key is created, this name is the primary way to identify it later, since the full token value is no longer visible.

Request

Response

Store the auth_token immediately and securely. This is the only time the full token value is returned — it cannot be retrieved later from any endpoint or from the console.

Revoking API Keys

Revoke API keys that are no longer needed or may have been compromised.

Request

Response

Returns a 200 OK status code on successful revocation.

API Key Rotation

Regular key rotation is a security best practice that minimizes the impact of potential key compromises. Here’s how to implement zero-downtime key rotation:

Rotation Strategy

1

Generate New Key

Create a new API key while your current key is still active:
2

Update Applications

Deploy the new key to your applications:
3

Monitor Transition

Ensure all services are using the new key before proceeding:
4

Revoke Old Key

Once confirmed, revoke the old key:

Automated Rotation Example

Here’s a complete example of an automated key rotation script:

Best Practices

Use Environment Variables

Never hardcode API keys in your source code. Store them in environment variables or secure secret management systems.Good: os.environ["PERPLEXITY_API_KEY"]Bad: api_key = "pplx-1234567890abcdef"

Implement Key Rotation

Rotate your API keys regularly (e.g., every 90 days) to minimize the impact of potential compromises.Set up automated rotation scripts to ensure zero downtime during the rotation process.

Use Descriptive Names

Always set token_name when generating a key. After creation, the name is the primary way to identify a key, since the full token value is no longer visible.Examples: “Production-Main”, “Development-Testing”, “CI/CD-Pipeline”

Monitor Key Usage

Track which keys are being used in your applications and revoke unused keys promptly.Maintain an inventory of active keys and their purposes.

Security Considerations

Never expose API keys in:
  • Client-side JavaScript code
  • Mobile applications
  • Public repositories
  • Log files or error messages
  • URLs or query parameters

If a Key is Compromised

  1. Immediately generate a new key using /generate_auth_token
  2. Update all applications to use the new key
  3. Revoke the compromised key using /revoke_auth_token
  4. Review access logs to identify any unauthorized usage
  5. Implement additional security measures such as IP allowlisting if available

Troubleshooting

IssueSolution
”Authentication failed” after rotationEnsure the new key has propagated to all service instances
Cannot revoke a keyVerify you’re using a valid API key with appropriate permissions
Key generation failsCheck your account status and API tier limits
Services still using old keyImplement proper secret rotation in your deployment pipeline
For additional support with API key management, visit the API Platform console or contact our support team.