> ## Documentation Index
> Fetch the complete documentation index at: https://docs.convertly.sh/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Convertly API requests with dashboard-generated API keys.

<div className="docs-page-banner">
  <img src="https://mintcdn.com/convertly-0a879af2/mW49zm6LTtP_5RqQ/public/docs/authentication/docs-authentication-v2.png?fit=max&auto=format&n=mW49zm6LTtP_5RqQ&q=85&s=a53824211515709078d3f05f2f6b6075" alt="Authentication" width="1672" height="240" data-path="public/docs/authentication/docs-authentication-v2.png" />
</div>

Convertly API keys begin with `cvly_`. They are hashed before storage and only the prefix is shown later in the dashboard.

<div className="convertly-callout">
  Treat API keys like server secrets. Use them from your backend, workers, or trusted automation, not from public browser code.
</div>

## Supported headers

Use the `Authorization` header:

```http theme={"system"}
Authorization: Bearer $CONVERTLY_API_KEY
```

You can also use:

```http theme={"system"}
x-api-key: $CONVERTLY_API_KEY
```

In shell examples, `$CONVERTLY_API_KEY` is the environment variable you export on your server. In application code, read the same value from `process.env.CONVERTLY_API_KEY`, `getenv('CONVERTLY_API_KEY')`, or your secrets manager — never hardcode the token in source files.

## Key management

API keys are created and revoked from the dashboard: open your **account menu** → **Settings** → **API keys**. Keys are shown once when created, so store the token securely before closing the modal.

Convertly has two key types:

* **Standard API keys** are for your own backend, workers, automations, and apps. They can use normal Convertly Storage when your request asks to save files.
* **WordPress site tokens** are created from the WordPress sites section in the dashboard. Use one token per WordPress install. Each token can have **No storage** or **Isolated storage** so agencies can keep client sites out of shared workspace storage.

WordPress site tokens authenticate with the same `Authorization: Bearer ...` and `x-api-key` headers. The storage mode is enforced server-side on files, folders, jobs, media-tool async outputs, and queued worker results.

## Plans

The API resolves plan access from active subscriptions and profile overrides. Free keys can authenticate, but rate limits, file limits, and overage behavior depend on the current plan.

* Subscription prices: [Pricing](https://convertly.sh/pricing)
* Quotas and meters: [Limits](/limits)

<Card title="See limits by plan" icon="gauge-high" href="/limits">
  Review storage, media API, CDN, streaming, Forma AI, and workflow quotas.
</Card>