Skip to main content
Every request to the Pxxl platform API must include a valid API key. You pass the key as a Bearer token in the Authorization header, and Pxxl validates the key’s scopes before processing the request. Because the key grants real access to your workspace, you must keep it exclusively on your backend — never ship it inside browser bundles, client-side code, or mobile applications.

Get an API Key

Navigate to Dashboard > API Keys to manage your platform tokens. Click Create API Key or New API Key to open the key creation form, then fill in:
  • Key name — a readable label such as Production deploy bot, CDN uploader, or Internal monitor
  • Description — optional context explaining where the key is used
  • Scopes / permissions — restrict the token to the minimum capabilities your integration needs
  • Expiration — set a rotation date and avoid permanent tokens wherever possible
Copy the key immediately after creation; it is shown only once.

Authorization Header

Include the key on every request using the Authorization header: 
Authorization: Bearer YOUR_PLATFORM_API_KEY

Node.js Helper (TypeScript)

The example below shows a backend-safe API helper. Store PXXL_API_KEY in your server environment variables and call Pxxl from there — never from the browser.
lib/pxxl.ts
const PXXL_API_BASE = 'https://gateway.pxxl.app/api/v3';

async function callPxxl<T>(path: string, options?: RequestInit): Promise<T> {
  const apiKey = process.env.PXXL_API_KEY;
  if (!apiKey) {
    throw new Error('PXXL_API_KEY is not defined in environment variables.');
  }

  const response = await fetch(`${PXXL_API_BASE}${path}`, {
    ...options,
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json',
      ...options?.headers,
    },
  });

  if (!response.ok) {
    const errorBody = await response.text();
    throw new Error(`Pxxl API error [${response.status}]: ${errorBody}`);
  }

  return response.json() as Promise<T>;
}

export async function getCdnSummary(): Promise<unknown> {
  return callPxxl('/cdn/summary');
}
Never place your API key inside browser JavaScript, client-side framework code, or mobile app bundles. Anyone who can read your frontend source can extract an exposed key. Always route Pxxl API calls through your own backend server so the key stays in a controlled environment.

API Key Scopes

Create a separate key for each workflow and limit each key to the smallest set of permissions it actually needs.
WorkflowRecommended Scope Pattern
Backend deployment checksRead deployment and project status only.
CDN uploaderCDN asset upload and read permissions.
Internal automationNarrow project, domain, or billing scopes for that specific automation.
Monitoring serviceRead-only status and usage permissions.

Rate Limiting

Pxxl enforces rate limits on all API endpoints. When your integration exceeds the allowed request rate, the API returns HTTP 429 Too Many Requests. Handle this response with exponential backoff — wait a short initial delay, then double the wait time on each subsequent retry — rather than immediately retrying in a tight loop.