🍋 Yuzu
Dashboard

Getting Started

The Yuzu Platform

Guides

Creating API Keys

Rate Limits

Usage with Apollo React/React Native

Recipes

Build a live-updating stock price badge

Show the latest exchange rates for your product

Streaming API

Subscription and Authorization

Available streams

Message reference

GraphQL API

Introduction to GraphQL

Making GraphQL Requests

Authorization

Pagination

Errors

Schema Reference
Guides

Creating API Keys

API keys are the primary way that you authorize your application when you're using Yuzu's APIs.

Sign up for a Yuzu account to create your own API key.

About API Keys

API Keys are publishable

API keys in Yuzu are designed to be publishable. In other words, they are not secrets. That means that you can safely use them in browser or mobile frontend apps or check them into your VCS.

Allowed Origins

The primary way your API keys are protected from potential abuse by bad actors is through attaching one or more allowed origins to your API keys. When you add an allowed origin to an API key, that means it can only be used on websites with the domain you specify. Here's an example from the dashboard:

For this API token, we've added localhost and yuzu.dev as allowed origins. This means that the API will reject any request that does not originate from localhost or yuzu.dev.

When you add origins, you do not need to include the scheme or the port in the declaration. Yuzu will ensure that the host section of the URL matches one of these allowed origins.

Allowed Origins do not include subdomains

If you want to use your API key on multiple subdomains that you own, you must allow each one separately.

Empty Origin API Keys

You can specify that one or more of your API tokens can be used without an origin header present in the request. This allows you to use the key from non-browser contexts, like your server-side app, or a command-line tool.

Allowing an API token to be used with an empty origin removes a layer of protection from the API key, and should only be used in contexts where you believe the API key is at low risk of exposure.

Deleting API Keys

You can create as many API keys as you like, and delete them at any time. However, any time you delete an API key, it will immediately stop working on any clients where it's used.

🎓 Learn more

What's the Origin header?

The Origin header is a forbidden header that's sent with every request made from a browser.

For example, if you're on https://finance.yuzu.dev/AAPL, and some javascript on the page makes an HTTP POST request to graph.yuzu.dev, these are some of the request headers that the server will see:

Header Name Header Value
Origin https://finance.yuzu.dev
Accept */*
Content-Type application/json
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X) ...

The browser will include the origin's scheme, host, and port in the origin header, but will not include the path. For example:

In the origin https://finance.yuzu.dev:443/AAPL?sort=asc#anchor-tag, these would be the parts of the URL that would be included in the origin header.

Component Value Included in Origin header
Scheme https ✅
Host finance.yuzu.dev ✅
Port 443 ✅
Path /AAPL 🚫
Query ?sort=asc 🚫
Fragment #anchor-tag 🚫

To read more about the Origin header, head over to the MDN docs.

Guides

Rate Limits