killer

Connecting APIs

killer can pull live data from 50+ external APIs. Some work instantly with zero setup. Others need an API key from the provider. Here's how both work.

Free APIs

Free APIs require no configuration. When you describe what you want —"build me a recipe finder" or "show trending crypto prices"— killer automatically picks the right API and writes the fetch code.

These APIs are called directly from the browser. They don't go through killer's proxy, which means they keep working after you download and deploy the code elsewhere.

See all free APIs →

Premium services

Premium services (OpenAI, Spotify, TMDB, Google Maps, etc.) need an API key. You get the key from the provider — most have free tiers — and paste it into your project.

1. Get an API key

Go to the provider's developer portal and create an app or project. Copy the API key or secret. Links for every supported service are on the premium services page.

2. Add it to your project

Open your project in killer. Click the API button (lock icon) in the project header. Select the service, paste your key, and save.

3. Describe what you want

Just tell killer: "add Spotify search" or "show trending movies from TMDB." It generates the code and routes API calls through a secure server-side proxy.

How the proxy works

Premium API calls go through killer's server-side proxy at /api/preview/proxy. The generated code sends requests to this endpoint with the service slug and parameters. The proxy injects your API key server-side and forwards the request to the external API.

This means:

  • Your API key never appears in the browser or generated code
  • CORS issues are handled automatically
  • Rate limiting is managed per-user

Example: Spotify search

// TODO [DEPLOY]: Replace /api/preview/proxy with your own backend proxy
const res = await fetch("/api/preview/proxy", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    service: "spotify",
    endpoint: "/v1/search",
    params: { q: "radiohead", type: "artist" }
  })
});
const data = await res.json();

Security

API keys are encrypted at rest in the database. They are never included in generated code, never sent to the browser, and never logged. Keys are scoped to the project that created them.

The proxy validates every request against the project's stored keys before forwarding. If a key isn't set for a service, the proxy returns a structured { needsKey: true } response so the UI can prompt the user.

When you delete a project, its API keys are permanently removed.

← OverviewFree APIs →