API Keys
Create and manage developer keys for REST and MCP access.
Your Keys
Use the panel below to create new keys, view existing ones, and revoke keys you no longer need. Each key works across REST endpoints, the whoami route, and the remote MCP server.
Key Format
All developer keys use the s2s_ prefix followed by a random string. This prefix makes it easy to identify ScienceToStartup credentials in your codebase and in secret-scanning tools.
s2s_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6One-time display
The full key is shown only once, immediately after creation. Copy it before closing the dialog. If you lose it, revoke the old key and create a new one.
Usage
Pass the key as a Bearer token in the Authorization header on every request. The same key works for REST, MCP, and the SDK.
curl -H "Authorization: Bearer s2s_YOUR_KEY" \
"https://sciencetostartup.com/api/developers/whoami"Legacy header
The
X-API-Key header is still supported for backward compatibility, but Authorization: Bearer is the recommended path.Security
Follow these best practices to keep your API keys safe.
Never commit keys to source control
Store API keys in environment variables or a secrets manager. Add
.env to your .gitignore and use tools like dotenv or platform-native secret injection at deploy time.Recommended practices
- Use environment variables -- set
SCIENCETOSTARTUP_API_KEYin your shell profile or CI secrets, not in code. - Rotate regularly -- create a new key and revoke the old one periodically. You can have multiple active keys during the transition.
- Scope keys to environments -- use separate keys for development, staging, and production to limit blast radius if one leaks.
- Monitor usage -- check the requests-today counter on the key management panel above for unexpected spikes.
- Revoke immediately on exposure -- if a key appears in logs, a public repo, or a chat, delete it and create a replacement without delay.
# .env.local (add this file to .gitignore)
SCIENCETOSTARTUP_API_KEY=s2s_live_your_key_here