Skip to content

Live API: the free docs page, and the key fine print

The detail behind the Live API page — the try-it-out page you get for free, and exactly what a key does and doesn't lock. Pull this up when you're deciding how much to put behind one shared key.

Last verified: 2026-06-07 · checked against fastapi.tiangolo.com · Confidence: high on the auto-docs and the key gate.

The interactive docs page is free and live

FastAPI generates a how-to-use-it page from your code, refreshed every deploy — the cheapest way to tell callers exactly how to use the API, with nothing to write by hand. [confirmed]

  • /docs — a try-it-out Swagger UI: click a route, fill the fields, send a real request, see the response.
  • /redoc — a clean, read-only reference view of the same routes.
  • /openapi.json — the raw machine-readable spec, which is what lets a recipient's agent read the API and write its own request.

An API key is a shared secret, not per-person identity

A key locks the routes; it does not tell your callers apart. [confirmed]

  • Everyone holding it looks the same. You can't see who called, or revoke one person without rotating the key for all of them.
  • A leaked key works until you rotate it. Rotate the secret and redeploy; old keys stop working, and you hand the new one only to who you still trust.
  • For named, revocable, per-person access, put a login wall in front instead — that reaches named people / org-only rungs a bare key can't. → Who can see it?

The URL is public — the key is the only lock

A *.fly.dev URL is reachable the moment it's live. [confirmed]

  • Anyone who finds it reaches the open routes, including /docs — only a valid key gets past the routes you gated.
  • So don't sit anything you'd hate a leaked key to reach behind one shared key alone. If it's genuinely sensitive, use the login wall, not a single secret.

What a caller actually does

Three ways in, all from the same URL + key — floor ~3 min if they know the endpoint. [confirmed]

  • From their own code — one request, e.g. requests.get(url, headers={"X-API-Key": key}), and back comes JSON. Same call from any language, curl, or a notebook.
  • Via their agent — point it at your /docs page ("call this API for me") and it writes the request itself. [estimate]
  • By hand first — open your-url/docs, click Authorize, paste the key, and try every route in the browser. No install, no account on your service.

Calling is free to them; the running cost (near $0 when idle on Fly) is yours.

Where it lives, and the host's data handling

Your service and any data it touches sit on whatever app host you deploy to. Keep keys as host secrets, never in the code. → Can you trust the company?, specifically Fly or Vercel. [confirmed]

Sources