cvly_. They are hashed before storage and only the prefix is shown later in the dashboard.
Treat API keys like server secrets. Use them from your backend, workers, or trusted automation, not from public browser code.
Supported headers
Use theAuthorization header:
$CONVERTLY_API_KEY is the environment variable you export on your server. In application code, read the same value from process.env.CONVERTLY_API_KEY, getenv('CONVERTLY_API_KEY'), or your secrets manager — never hardcode the token in source files.
Key management
API keys are created and revoked from the dashboard: open your account menu → Settings → API keys. Keys are shown once when created, so store the token securely before closing the modal. Convertly has two key types:- Standard API keys are for your own backend, workers, automations, and apps. They can use normal Convertly Storage when your request asks to save files.
- WordPress site tokens are created from the WordPress sites section in the dashboard. Use one token per WordPress install. Each token can have No storage or Isolated storage so agencies can keep client sites out of shared workspace storage.
Authorization: Bearer ... and x-api-key headers. The storage mode is enforced server-side on files, folders, jobs, media-tool async outputs, and queued worker results.
Plans
The API resolves plan access from active subscriptions and profile overrides. Free keys can authenticate, but rate limits, file limits, and overage behavior depend on the current plan.See limits by plan
Review storage, media API, CDN, streaming, Forma AI, and workflow quotas.