Appearance
API keys
API keys are created and revoked in the CHCK partner portal, not via the Partner API. Each key authenticates as the CHCK user linked to your partner account.
Create a key
- Sign in to the partner portal.
- Open API keys (
/dashboard/api-keys). - Enter a name (for your own tracking, e.g.
Production backend). - Click Create key.
One-time display
The full token is shown only once after creation. Copy it into your secret store before dismissing the dialog. CHCK cannot recover a lost token — create a new key instead.
Token format
| Part | Description |
|---|---|
| Prefix | shbx_ (fixed) |
| Body | 48 random bytes, base64url-encoded (~64 characters) |
| Total length | ~70 characters |
Example shape (not a real secret):
shbx_xK9mN2pQ7vR4wT1yU8zA3bC6dE0fG5hJWhat we store
| Stored in database | Not stored |
|---|---|
| SHA-256 hex hash of the full token | Plaintext token |
First 12 characters (prefix) for display in the key list |
Entropy is 384 bits from the random body — suitable for long-lived server credentials.
Use the key
http
Authorization: Bearer shbx_<paste full token>The dashboard shows a copy-ready example after creation:
http
Authorization: Bearer shbx_…List and revoke
The dashboard lists active keys by name, prefix (shbx_XXXXXXXX…), and last used time.
- Revoke sets
revoked_at; revoked keys immediately receive401witherror: "invalid_credentials". - Revocation does not delete historical grading data.
Multiple keys
You may create several keys per partner account (e.g. separate staging and production backends). All keys for the same account access the same CHCK user’s data.
Programmatic key management
There is no public API to mint keys. Keys are tied to dashboard sessions and partner accounts created by CHCK administrators.
If you need automation (CI/CD provisioning), contact CHCK about supported processes.
Implementation reference
Key generation lives in shoebox-platform-web (server action createApiKeyAction) and shares token helpers with shoebox-platform-api:
generateApiToken()—shbx_+ 48-byte secretsha256Hex()— storage hashparseBearer()— request parsing
See Authentication for request-time validation.