GET /v1/me#

Returns information about the authenticated API key — the first endpoint to hit when wiring up a new client. It confirms your key, tier, and current rate-limit window in one call, with no side effects.

Use it as a smoke test in CI, after rotating keys, or whenever a request unexpectedly fails with 401 / 429 and you need to inspect what the server thinks of your key.

Parameters#

None. The key is read from the X-API-Key header (or Authorization: Bearer <key>).

Examples#

Response#

{
  "key": {
    "id": "01J3KXY1ZAB7CQNR8TP4Z9EXMQ",
    "name": "Default key",
    "prefix": "qb_pk_••••1234",
    "scope": "pk"
  },
  "tier": "free",
  "rateLimit": {
    "limit": 10,
    "remaining": 8,
    "resetInSeconds": 9,
    "burstPer10s": 10,
    "perDay": 500
  },
  "monthlyQuota": {
    "limit": null,
    "used": 0,
    "resetsAt": null
  },
  "meta": {
    "requestId": "req_01HZABC123DEF"
  }
}

{
  "type": "https://quizbase.runriva.com/errors/missing_api_key",
  "title": "API key required",
  "status": 401,
  "detail": "Include your API key in the X-API-Key header (or Authorization: Bearer <key>). Get a key at https://quizbase.runriva.com/dashboard/keys.",
  "instance": "/api/v1/me",
  "code": "missing_api_key"
}

{
  "type": "https://quizbase.runriva.com/errors/invalid_api_key",
  "title": "Invalid API key",
  "status": 401,
  "detail": "The API key you sent does not match any active key.",
  "instance": "/api/v1/me",
  "code": "invalid_api_key"
}

Response fields#

• key.id — internal identifier of the API key (UUID v7). Stable across rotations of the secret.
• key.name — the label you set when creating the key (e.g. "CI runner", "Mobile app — staging").
• key.prefix — masked display value (e.g. qb_pk_••••1234). Safe to log; the full secret is only shown once at creation.
• key.scope — "pk" (publishable, safe for client-side / mobile apps, CORS-enabled) or "sk" (secret, server-side only).
• tier — current subscription tier: "free", "indie", "pro", or "enterprise". Drives rate limits and feature gates.
• rateLimit.limit / rateLimit.remaining / rateLimit.resetInSeconds — current 10s burst window. Mirrors RateLimit-* headers. Quota is per user account — shared across all your keys.
• rateLimit.burstPer10s / rateLimit.perDay — your tier’s full limits, useful for client-side throttling logic.
• monthlyQuota.limit / used / resetsAt — monthly quota window. All null / 0 pre-launch (subscription billing arrives in a later phase). Reserved shape; safe to read now.
• meta.requestId — request identifier (also in X-Request-Id response header). Include in support requests so we can locate the request in logs.

Performance#

• p50 (warm): ~40ms
• p95: <100ms (auth lookup + locals serialization, no DB read on hit path)
• Last measured: 2026-05-07
• SLO: p95 < 500ms, error rate < 1%

See also#

• Authentication — header formats, scopes, rotation
• Rate limits and retries — backoff strategies
• Errors and retries — RFC 9457 error format reference