Developer API

Authentication & Plans

One key authenticates both the Quoting API and the DFM API. Metering counters are independent per product, so heavy DFM usage doesn’t exhaust your Quoting quota.

Getting an API key

Self-serve at /dashboard/api. Free tier is available immediately for evaluation; upgrade to Starter / Pro / Enterprise for production volumes (see plan tiers below). For higher limits or air-gapped deployments, email connor@digitalmetal.io.

Issued keys look like: dm_live_a3f8c2d1e4b7... — the dashboard shows the key once on creation, then only the prefix afterward. Store it as an env var; never commit to source control.

Using your key

Pass your API key in the X-API-Key header on every request.

GET /api/v1/materials HTTP/1.1
Host: digitalmetal.io
X-API-Key: dm_live_<your_key>

All API keys begin with the prefix dm_live_.

Key security

Treat keys like passwords

Store keys in environment variables or a secrets manager. Never commit them to source control or expose them in client-side code.

One key per integration

Request a separate key for each application or environment (development, staging, production). This way a single key can be revoked without disrupting your other integrations.

Report compromised keys immediately

If a key is exposed, email connor@digitalmetal.io and we will revoke it and issue a replacement. Revocation takes effect immediately.

Plan tiers (DFM API)

The Quoting API is unmetered. The DFM API is per-request metered via Stripe. Each call counts against your plan’s included quota; on paid tiers, overage bills automatically per request beyond included.

Plan	quick_info	analyze	Overage
free	1,000	100	hard cap (402)
starter ($0/mo)	1,000	100	per-unit
pro	50,000	5,000	per-unit
enterprise	1M	100K	contact us

Calling from a browser (CORS)

The API allows Access-Control-Allow-Origin: *, so any web app can call /api/v1/* directly from the browser. No allowlist, no preflight contact required — exactly the flow you get from Stripe or OpenAI.

Don’t embed your key in client-side JavaScript. An open-CORS policy plus a key embedded in your bundle = harvestable secret. For browser-driven products, either: (a) proxy through your own backend, or (b) generate per-user short-lived tokens server-side and hand those to the browser. Server-to-server callers (curl, Python, Node, mobile native) are unaffected.

Response headers (metered routes)

X-RateLimit-Limit — included quota for the meter on the caller’s plan.
X-RateLimit-Remaining — included units left in the current billing period.
X-Billing-Tier — resolved plan tier for the caller (free / starter / etc).

Error responses

Authentication failures return a JSON body with an error field.

Status	Error	Cause
401	Missing X-API-Key header.	No header was sent.
401	Invalid API key format.	Key does not start with `dm_live_`.
401	Invalid API key.	Key not found in the database.
401	API key has been revoked.	Key was revoked by the owner.
402	API quota exceeded for this billing period.	DFM-API only. Free-tier hard cap reached, or paid tier with overage disabled. Response body includes `upgrade_url`.