Skip to content

Authentication

Every /api/v1 request authenticates with an API key sent as a bearer token:

Authorization: Bearer noai_your_key_here

Keys are issued by our team after an access request from the public API page. An approved account can keep up to five active keys. New keys use the noai_ prefix followed by 40 hexadecimal characters and are shown exactly once. Legacy acp_ keys remain valid until revoked.

  • Shown once. The plaintext key appears exactly once, at creation. Server-side only a SHA-256 hash is stored, so a lost key cannot be recovered; create a new one instead.
  • Named. Give each key the name of the system that holds it (“production server”, “CI”), so you can tell them apart later by name and display prefix.
  • Up to 5 active keys per account. Rotate by creating the new key first, deploying it, then revoking the old one.
  • Revocation is instant. Revoke from the API page or from Account → Connected services; the key stops authenticating on the next request.
Status Meaning
401 Missing, malformed, unknown, or revoked key. Deliberately one message for all four, so a probe cannot tell them apart.
402 The key is valid but the account’s plan lapsed. The API needs Pro or Lifetime.
  • Keep it in an environment variable or a secret store, never in source control.
  • The key rides the Authorization header, never a URL or a JSON body, so request logs and referrers do not capture it.
  • If a key may have leaked, revoke it immediately and mint a replacement; nothing else on the account needs to change.

Strictly necessary storage remembers your choice. See the privacy policy for details.