Getting Started4 min read
Authentication & API Keys
How RapidAPI-mediated auth works.
Two headers, every request
Every Helix-API call requires exactly two headers: X-RapidAPI-Key (your secret) and X-RapidAPI-Host (the per-API hostname).
Your key is per-account, not per-API
The same RapidAPI key works across all 20 Helix-APIs. You don't manage 20 different keys.
Rotating your key
RapidAPI dashboard → Apps → your app → Rotate Key. Old key invalidates immediately. We recommend rotating every 90 days for production apps.
Never put keys in URLs or frontends
Always send the key via a header, server-side. Public frontends should proxy through your own backend.