SanctiKey

Legal

API Terms of Use

SanctiKey, LLC · Last Updated: May 24, 2026 · Effective Date: May 24, 2026

1. Purpose and Scope

These API Terms of Use ("API Terms") govern programmatic access to the SanctiKey managed cryptographic infrastructure platform via its developer APIs (the "API"). These API Terms supplement and are incorporated into SanctiKey's Terms of Service. In the event of a conflict between these API Terms and the Terms of Service with respect to API access, these API Terms control.

By accessing or using the API, you agree to these API Terms. If you do not agree, you must not access or use the API.

API access is bundled with all active SanctiKey subscriptions. There is no separate API product tier.

2. API Credentials and Authentication

2.1 Credential Issuance

Upon account activation, SanctiKey issues API credentials including API keys and access tokens to authenticate programmatic requests. These credentials are unique to your account and subscription tier.

2.2 Credential Security

You are solely responsible for:

  • Maintaining the confidentiality and security of all API credentials issued to your account
  • Ensuring API credentials are not stored in source code, version control repositories, client-side code, or any publicly accessible location
  • Rotating credentials immediately upon any suspected or confirmed exposure
  • All API calls made using your credentials, whether authorized by you or not

SanctiKey cannot be held liable for unauthorized API usage resulting from your failure to secure your credentials.

2.3 Credential Revocation

SanctiKey reserves the right to revoke API credentials immediately and without prior notice if SanctiKey determines the credentials are being used in violation of these API Terms, the Acceptable Use Policy, or the Terms of Service.

3. Rate Limits

3.1 Standard Rate Limit

All subscriptions are subject to a standard API rate limit of 100 requests per minute per account. This limit applies across all API endpoints collectively.

3.2 Operational Quota (Usage-Metered)

SanctiKey pricing is usage-metered, not tier-based. Each cryptographic key on your account includes a bundled allotment of 100,000 operational API calls per month. Additional operational calls are sold in blocks of 100,000 at the published per-block rate; there is no separate overage SKU and no automatic tier upgrade.

Administrative API calls (key creation, rotation configuration, policy management, and key listing) do not count against your operational allotment and are always free.

Self-service accounts are capped at 50 keys; higher volumes are available through negotiated Volume Pricing. Current rates are published in SanctiKey's pricing documentation.

3.3 Rate Limit Enforcement

Requests exceeding the per-minute rate limit will receive an HTTP 429 (Too Many Requests) response. Your integration must implement appropriate retry logic with exponential backoff when receiving 429 responses. SanctiKey is not liable for data loss, operational failures, or downstream application errors resulting from rate limit enforcement.

3.4 Operational Usage Billing

Operational API calls beyond your bundled allotment are billed automatically in blocks of 100,000 at the published per-block rate; there is no separate overage SKU and no automatic tier upgrade. SanctiKey does not throttle or suspend API access solely for exceeding a bundled allotment; the per-minute rate limit in Section 3.1 continues to apply independently. SanctiKey will notify you by email of material changes in your usage profile.

4. Client-Side Implementation Responsibility

4.1 Your Responsibility for Integration Quality

SanctiKey provides well-documented APIs and developer resources. You are solely responsible for:

  • The quality, correctness, and security of your API integration code
  • Implementing appropriate error handling for all API responses including 4xx and 5xx status codes
  • Implementing retry logic with exponential backoff for transient failures; looping calls without backoff is a violation of these API Terms and may result in rate limit enforcement or account suspension
  • Correctly handling API responses including returned data key material (for example, plaintext data keys returned by envelope-encryption endpoints); mishandling returned data key material is outside SanctiKey’s control and liability. Managed private keys are non-extractable and are never returned by any endpoint
  • Testing your integration against the Demo Environment before deploying to production
  • Keeping your integration up to date with API version changes per the deprecation policy in Section 6

4.2 No Liability for Client-Side Failures

SanctiKey is not liable for data loss, key loss, encryption failures, or application errors arising from:

  • Bugs or errors in your integration code
  • Incorrect handling of API responses or returned data key material
  • Failure to implement appropriate error handling or retry logic
  • Misuse of API endpoints contrary to the Documentation
  • Loss of returned data key material due to inadequate client-side storage practices

4.3 Production Readiness

Before deploying any SanctiKey API integration to production, you should:

  • Test all integration flows in the Demo Environment
  • Verify correct handling of all documented error codes
  • Confirm that returned data key material is stored securely and never logged or exposed in plaintext
  • Implement monitoring for API error rates and latency

5. Permitted and Prohibited API Use

5.1 Permitted Use

You may use the API solely for:

  • Programmatic access to cryptographic services within your Subscription Plan
  • Automating key management operations within your account
  • Building internal applications that consume SanctiKey’s cryptographic capabilities for your own business purposes
  • Integration with your own products and services in accordance with the Acceptable Use Policy

5.2 Prohibited API Use

In addition to the prohibitions in the Acceptable Use Policy, you may not use the API to:

  • Build a product or service that resells, repackages, or provides access to SanctiKey’s cryptographic capabilities to third parties without SanctiKey’s prior written consent
  • Circumvent, probe, or test rate limiting or quota enforcement mechanisms
  • Automate the creation of accounts or credentials in bulk
  • Access endpoints not documented in SanctiKey’s official API documentation
  • Attempt to extract, reconstruct, or reverse-engineer SanctiKey’s underlying cryptographic implementations through systematic API probing or analysis of API responses
  • Send requests at volumes or patterns designed to stress-test SanctiKey’s infrastructure without prior written authorization

6. API Versioning and Deprecation

6.1 Versioning

SanctiKey's API is versioned. The current API version is specified in the Documentation at docs.sanctikey.com. SanctiKey recommends always integrating against a specific API version rather than an unversioned endpoint.

6.2 Deprecation Notice

SanctiKey will provide at least 90 days' advance notice before deprecating or removing any API endpoint or capability that is in documented general availability. Notice will be provided via email to the account administrator and through the API documentation changelog.

6.3 Breaking Changes

SanctiKey will use commercially reasonable efforts to avoid introducing breaking changes to existing API versions. When breaking changes are necessary, they will be introduced in a new API version with the prior version maintained for the duration of the deprecation notice period.

6.4 Beta Endpoints

API endpoints designated as beta, preview, or experimental in the Documentation are subject to change or removal without notice and are not covered by the deprecation policy in this Section 6.

7. Monitoring and Enforcement

SanctiKey monitors API usage patterns to enforce rate limits, detect abuse, and protect platform integrity for all customers. Monitoring is performed at the metadata level; SanctiKey does not inspect or retain the content of API payloads.

Violations of these API Terms may result in rate limiting, credential revocation, account suspension, or termination in accordance with the Terms of Service and Acceptable Use Policy.

8. Amendments

SanctiKey may update these API Terms at any time. Material changes will be communicated by email and by updating the "Last Updated" date. Your continued use of the API after the effective date of any amendment constitutes acceptance.

9. Contact

SanctiKey, LLC
Developer Support: support@sanctikey.com
API Documentation: docs.sanctikey.com
Security: security@sanctikey.com

These API Terms of Use are effective as of the date listed above and supersede all prior versions.