Quikturnv1.0

Authentication

Publishable keys, domain restrictions, and security best practices

API Key Basics

The Logo API uses publishable keys that start with pk_. These are safe for client-side use and required on every request as a query parameter.

pk_live_1234567890abcdef

Client-Safe

Designed for browsers and mobile apps.

CORS Friendly

Works cross-origin; Origin is validated when domain restrictions are enabled.

Rate Limited

Per-minute limits vary by tier.

Attribution-Aware

Free tier requires attribution and is enforced at the edge.

Getting a Key

  1. Sign in to the customer portal.
  2. Open API Keys.
  3. Create or copy a publishable key (pk_*).
  4. (Optional) Add domain restrictions.

Keys can be rotated or revoked in the portal. There is no public secret-key API for key management.

Using Your Key

Always pass the key as a token query parameter.

<img
  src="https://logos.getquikturn.io/apple.com?token=pk_your_key"
  alt="Apple logo"
/>

Server-side fetches use the same pattern; the service does not accept Authorization headers.

const apiKey = process.env.LOGO_API_KEY;
const domain = 'apple.com';
const res = await fetch(`https://logos.getquikturn.io/${domain}?token=${apiKey}`);
import os, requests

api_key = os.getenv("LOGO_API_KEY")
domain = "apple.com"
res = requests.get(f"https://logos.getquikturn.io/{domain}?token={api_key}")
res.raise_for_status()

Domain Restrictions

You can bind a key to specific domains. When enabled, the worker validates Origin (preferred) or Referer against your allowlist.

Adding Allowed Domains

  1. In API Keys, edit the key and add allowed domains (one per line): 
    example.com
app.example.com
*.example.com
  2. Save changes and redeploy your app with the same key.

Requests without a matching Origin/Referer will receive 403 Domain not allowed.

Matching Rules

  • Exact hostnames are matched (e.g., example.com).
  • Wildcards (*.example.com) match any subdomain on that root.
  • Local development should include the host and port (e.g., localhost:3000).

Security Best Practices

  • Store keys in environment variables; never hardcode production keys.
  • Rotate keys periodically; update your app before revoking the old key.
  • Keep separate keys per environment (dev, staging, production).
  • Monitor usage and attribution status in the portal; Free keys must maintain attribution to avoid 403s.

Troubleshooting

  • 401 Unauthorized: Missing token, token not starting with pk_, or revoked key.
  • 403 Forbidden: Domain restrictions failed or attribution required for Free tier.
  • 429 Too Many Requests: Per-minute rate limit reached; respect Retry-After.

Need more? Check Rate Limits and Errors.

Migration Guide

Complete migration guide from Clearbit Logo API and Logo.dev to Quikturn. Simple URL replacement with enhanced features, transparent pricing, and enterprise-grade reliability.

API Endpoints

Reference for the logo lookup endpoint

On this page

API Key BasicsGetting a KeyUsing Your KeyDomain RestrictionsAdding Allowed DomainsMatching RulesSecurity Best PracticesTroubleshooting