Getting started

Authentication

Every request to api.eupeak.io (except GET /v1/health) is authenticated with a bearer token.

API key format

API keys issued by eupeak.io are opaque bearer tokens that start with a predictable prefix:

ek_live_XXXXXXXXXXXXXXXXXXXXXXXXXX

Only the prefix (ek_live_) and the last four characters are ever displayed in the dashboard. The full key is shown exactly once, at creation time — store it somewhere secure immediately. If you lose it, you will need to revoke and create a new one.

Sending the key

Pass the key in the Authorization header using the Bearer scheme. Keys in query strings or cookies are not accepted.

Authorization: Bearer ek_live_YOUR_KEY

cURL

curl -X POST https://api.eupeak.io/v1/screen \
  -H "Authorization: Bearer ek_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "query": "Acme Corporation SA", "type": "entity" }'

TypeScript

const res = await fetch('https://api.eupeak.io/v1/screen', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.EUPEAK_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ query: 'Acme Corporation SA', type: 'entity' }),
});

Python

import os, httpx

res = httpx.post(
    'https://api.eupeak.io/v1/screen',
    headers={'Authorization': f"Bearer {os.environ['EUPEAK_API_KEY']}"},
    json={'query': 'Acme Corporation SA', 'type': 'entity'},
)

How keys are stored

Keys are stored as SHA-256 hashes on eupeak.io infrastructure. The plaintext value is never persisted and cannot be recovered by support.
Every request is logged with the key’s internal identifier, its prefix, the request path, latency and response status — so you can audit exactly which key did what.
Revocation is instantaneous. Once revoked from the dashboard or via the API, the key is rejected on every subsequent request in under one second.

Rate limits

Each API key is rate-limited independently at 100 requests per minute. Exceeding the limit returns 429 Too Many Requests with a Retry-After header (in seconds).

Need a higher limit? Contact support@samarkandindustries.com or upgrade to Enterprise for dedicated throughput.

Security best practices

Never embed API keys in client-side JavaScript, mobile apps, or public repositories. Always call eupeak.io from a trusted server.
Use one key per environment (production, staging, local) so revocations have minimal blast radius.
Rotate keys on a schedule — the dashboard shows last_used_at for every key to help identify stale credentials.
If a key is exposed, revoke it immediately and generate a new one. There is no way to reset a key in-place.

Error responses

Code	Meaning
`401`	No `Authorization` header, malformed header, or unknown key
`403`	Key is valid but has been revoked or the account is suspended
`429`	Rate limit exceeded (100 req/min per key)

See Errors for the full error catalogue.