Authentication
Every /api/v1 request authenticates with an API key sent as a bearer token:
Authorization: Bearer noai_your_key_hereKeys are issued by our team after an access request from the public API page. An approved account can keep up to five active keys. New keys use the noai_ prefix followed by 40 hexadecimal characters and are shown exactly once. Legacy acp_ keys remain valid until revoked.
- Shown once. The plaintext key appears exactly once, at creation. Server-side only a SHA-256 hash is stored, so a lost key cannot be recovered; create a new one instead.
- Named. Give each key the name of the system that holds it (“production server”, “CI”), so you can tell them apart later by name and display prefix.
- Up to 5 active keys per account. Rotate by creating the new key first, deploying it, then revoking the old one.
- Revocation is instant. Revoke from the API page or from Account → Connected services; the key stops authenticating on the next request.
Status codes
Section titled “Status codes”| Status | Meaning |
|---|---|
401 |
Missing, malformed, unknown, or revoked key. Deliberately one message for all four, so a probe cannot tell them apart. |
402 |
The key is valid but the account’s plan lapsed. The API needs Pro or Lifetime. |
Handling the key safely
Section titled “Handling the key safely”- Keep it in an environment variable or a secret store, never in source control.
- The key rides the
Authorizationheader, never a URL or a JSON body, so request logs and referrers do not capture it. - If a key may have leaked, revoke it immediately and mint a replacement; nothing else on the account needs to change.