Rueda Lens

Get Started

Authentication

Learn how to authenticate your requests to the Rueda Lens API.

Rueda Lens uses API key authentication via Bearer tokens for secure access to the API.

API Key Format

rdlns_sk_<36_character_string>
  • Prefix: rdlns_sk_ identifies Rueda Lens secret keys
  • Total length: 44 characters
  • Storage: Keys are bcrypt-hashed in our database — we never store them in plain text

Making Authenticated Requests

Include your API key in the Authorization header using the Bearer scheme:

curl -X POST https://api.ruedalens.com/v1/analyze \
  -H "Authorization: Bearer rdlns_sk_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "tireImage": "/9j/4AAQSkZJRg...",
    "carImage": "/9j/4AAQSkZJRg..."
  }'

Creating an API Key

  1. Log in to your dashboard
  2. Navigate to API Keys
  3. Click Create New Key
  4. Provide a descriptive name
  5. Copy and store the key securely

Security Warning

API keys grant full access to your account. Never commit them to version control or share them publicly.

Best Practices

Use Environment Variables

Store API keys in environment variables, never hard-code them:

RUEDA_LENS_API_KEY=rdlns_sk_your_api_key_here
const apiKey = process.env.RUEDA_LENS_API_KEY;

Rotate Keys Regularly

Regular key rotation is a security best practice. Here's how to rotate keys without downtime:

  1. Create a new key in the dashboard while keeping the old one active
  2. Deploy the new key to your application (via environment variables or secrets manager)
  3. Verify the new key works by making a test request
  4. Monitor for a grace period (e.g., 24-48 hours) to ensure all services have updated
  5. Revoke the old key once you've confirmed the new key is working everywhere

Zero-downtime rotation

This overlap approach ensures continuous service during key rotation. Both keys remain valid during the transition period, preventing service interruptions.

Use Separate Keys per Environment

EnvironmentKey Name
Developmentdev-server
Stagingstaging-ci
Productionproduction-primary

Secure Your API with IP Filtering

For enhanced security, we strongly recommend implementing IP filtering at your infrastructure level:

Why IP filtering matters:

  • Prevents unauthorized use even if an API key is compromised
  • Adds an additional layer of defense-in-depth security
  • Helps detect and prevent credential theft or leakage

Implementation approaches:

  1. Application-level filtering (recommended for most use cases):

    const ALLOWED_IPS = ['203.0.113.42', '198.51.100.0/24'];

function isAllowedIP(requestIP) {
  return ALLOWED_IPS.some(allowedIP => {
    // Implement your IP matching logic
    return requestIP === allowedIP || matchesCIDR(requestIP, allowedIP);
  });
}

// Check before making API calls
if (!isAllowedIP(clientIP)) {
  throw new Error('IP not authorized');
}

  2. Infrastructure-level filtering:

    • AWS: Use Security Groups or WAF rules
    • Cloudflare: Configure IP Access Rules
    • Nginx: Use allow and deny directives
    • Cloud Load Balancers: Configure allowed source IP ranges

  3. VPN or private network:

    • Route API traffic through a VPN with static IPs
    • Use cloud provider private networking (AWS PrivateLink, Azure Private Link)

Production deployment

Always combine IP filtering with API key authentication. IP filtering alone is not sufficient security, and API keys alone are vulnerable to theft. Use both together for maximum protection.

Key Management

In the dashboard, you can see each key's name, creation date, last used date, and prefix (e.g., rdlns_sk_abc...xyz).

Privacy

For security, only the first and last 3 characters of each key are displayed in the dashboard.

Revoking Keys

To revoke a compromised or unused key:

  1. Navigate to API Keys in your dashboard
  2. Find the key and click Revoke
  3. Confirm the action

Irreversible

Revoking a key is immediate and permanent. All requests using that key will fail instantly.

Authentication Errors

Status CodeError CodeDescription
401MISSING_API_KEYAuthorization header missing or not using Bearer scheme
401INVALID_API_KEYAPI key is invalid, revoked, or expired
429RATE_LIMIT_EXCEEDEDToo many requests — see Rate Limiting
{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "Invalid API key"
  }
}