At Dub, we're constantly striving to improve the security of our products, whilst upholding the best developer experience for our users.

Today, we're excited to announce Workspace API Keys – a new and improved way for you to build integrations with the Dub API.

Why the change?

Previously, API keys on Dub were created as a 24-character nanoid pattern on the user account level:

.env

DUB_API_KEY=PMj357f2FFqKL11DwvWOo5MP

This had several limitations:

Security vulnerabilities: An API key gives you unfettered access to all workspaces in your account, which poses a security risk if compromised.
Confusing UX: Users would often struggle to find where to create a new API key – as they expect it to be created in their workspace.
Lack of a prefix: API keys do not have a prefix, which makes it harder for git scanning tools like GitGuardian to detect compromised Dub API keys in packages and GitHub repositories.

What's changed?

With this new update, API keys on Dub now live on the workspace level. This also means that you no longer need to pass the workspaceId parameter to your API requests:

import { Dub } from "dub";
 
export const dub = new Dub({
  token: "<token>",
  - workspaceId: "ws_xxx" // no longer need to pass workspaceId param
});

With this change, we've also deprecated User API Keys – while all your old keys will still work, you won't be able to create new ones. We also recommend revoking your old user API keys and creating new workspace API keys instead.

API keys also start with an identifiable prefix: dub_. This makes it easier to distinguish them from other keys and revoke them if compromised:

.env

DUB_API_KEY=dub_PMj357f2FFqKL11DwvWOo5MP

On top of that, we'e also rolled out 3 improvements to our API setup:

Restricted scopes: Set fine-grained permission scopes for your API keys.
Machine users: Create machine users to associate API keys with.
Custom rate limits: Different plans now have different API rate limits.

1. Restricted scopes

Depending on your integration needs, you can now set fine-grained permission scopes for your API keys. This means you can now create API keys that have access to only a subset of the Dub API.

For example, you can create an API key with write access to the links resource, and read-only access to the analytics resource.

Screenshot of the Dub API creation modal with write access to Links and read-only access to Analytics.

This lets you secure your integrations and only expose the data you need.

2. Machine users

On Dub, you can now create API keys that are associated with a “Machine user”.

This is particularly helpful when you don't want to associate the API key with a particular user in your workspace, which helps you avoid security risks when the user leaves the company or if there's a change in project ownership.

Creating a machine user to associate API keys with.

These machine users will show up on your workspace's People tab, but will not contribute to your workspace's user count. Learn more about machine users.

3. Custom rate limits

We now offer custom rate limits for each of our plans. This gives you higher rate limits on Pro and Business plans.

Depending on your Dub.co plan, you can expect the following rate limits:

Plan	Rate limit
Free	600 requests per minute
Pro	3,000 requests per minute
Business	6,000 requests per minute
Enterprise	Custom – reach out to sales for details

What this means for you?

With these changes, you can now build more secure and scalable integrations with the Dub API.

We recommend you to revoke your old user API keys and replace them with workspace API keys instead. Depending on your integration, you might also want to set custom permission scopes to limit the access of your API keys.

We hope you find this new feature useful, and we're looking forward to hearing your feedback – feel free to send us an email or tweet at us!