Authentication
All authenticated API requests use the X-Fast-Api-Key header. The same key works across every tool in the Tools.FAST network.
API key header
Pass your key with every request:
X-Fast-Api-Key: fast_prod_...
All endpoints require a valid API key.
Getting an API key
- Sign in at accounts.tools.fast.
- Navigate to API Keys.
- Click Create API Key.
- Give it a descriptive name (e.g., "Production Backend", "CI Pipeline").
- Optionally restrict it to specific IP addresses (see IP allowlists).
- Copy the key immediately -- it starts with
fast_prod_and is shown only once.
Example usage
# Convert.FAST -- convert a file
curl -sS -X POST "https://api.tools.fast/convert" \
-H "X-Fast-Api-Key: fast_prod_your_key_here" \
-F "file=@photo.heic" \
-F "targetFormat=jpg"
# Compress.FAST -- compress a file
curl -sS -X POST "https://api.tools.fast/compress" \
-H "X-Fast-Api-Key: fast_prod_your_key_here" \
-F "file=@image.png"
# Check entitlements (works from any tool)
curl -sS "https://api.tools.fast/convert/entitlements/me" \
-H "X-Fast-Api-Key: fast_prod_your_key_here"# Convert.FAST -- convert a file
Invoke-RestMethod -Method Post "https://api.tools.fast/convert" `
-Headers @{ "X-Fast-Api-Key" = "fast_prod_your_key_here" } `
-Form @{ file = Get-Item "photo.heic"; targetFormat = "jpg" }
# Compress.FAST -- compress a file
Invoke-RestMethod -Method Post "https://api.tools.fast/compress" `
-Headers @{ "X-Fast-Api-Key" = "fast_prod_your_key_here" } `
-Form @{ file = Get-Item "image.png" }
# Check entitlements (works from any tool)
Invoke-RestMethod "https://api.tools.fast/convert/entitlements/me" `
-Headers @{ "X-Fast-Api-Key" = "fast_prod_your_key_here" }IP allowlists
You can restrict an API key to specific IP addresses for defense-in-depth:
- Go to API Keys at accounts.tools.fast.
- Edit the key and add one or more allowed IPs — enter a single address (e.g.,
203.0.113.5) or a CIDR range (e.g.,203.0.113.0/24). - Requests from IPs outside the allowlist receive a
401error.
When no IPs are configured, the key is accepted from any address.
Key rotation
To rotate an API key without downtime:
- Create a new API key at accounts.tools.fast.
- Update your application to use the new key.
- Verify the new key works in production.
- Delete the old key.
Both keys are valid simultaneously until you delete the old one, so there is no gap in service.
Error responses
Missing API key
If an endpoint requires authentication and no key is provided, the API returns 401:
{
"error": "api_key.invalid_or_ip_not_allowed",
"detail": "X-Fast-Api-Key was provided but is invalid for this request (or IP not allowlisted)."
}
Invalid API key
If the key is malformed, expired, or deleted:
{
"error": "api_key.invalid_or_ip_not_allowed",
"detail": "X-Fast-Api-Key was provided but is invalid for this request (or IP not allowlisted)."
}
IP not in allowlist
If the key has IP restrictions and the request comes from a disallowed address:
{
"error": "api_key.invalid_or_ip_not_allowed",
"detail": "X-Fast-Api-Key was provided but is invalid for this request (or IP not allowlisted)."
}
The error message is intentionally identical for all three cases to avoid leaking information about which keys exist.
Security best practices
- Never commit keys to source control. Use environment variables or a secrets manager.
- Use IP allowlists in production. Restrict keys to your server IPs.
- Create separate keys per environment. Use one key for staging, another for production.
- Rotate keys periodically. At minimum, rotate when team members leave.
- Monitor usage. Check your credit balance and API key activity at accounts.tools.fast.
- Use HTTPS only. All Tools.FAST APIs enforce HTTPS. HTTP requests are rejected.