Authentication
All API endpoints require authentication. ai& supports two methods:
API Key (recommended)
Section titled “API Key (recommended)”Pass your API key in the Authorization header:
Authorization: Bearer sk-your-api-keyAPI keys are scoped to an organization. Each key resolves the associated billing account automatically.
Key format
Section titled “Key format”All API keys start with the sk- prefix.
Key management
Section titled “Key management”Create, list, update, and revoke API keys from the console or via the management API:
| Action | Endpoint |
|---|---|
| List keys | GET /api/v1/keys |
| Create key | POST /api/v1/keys |
| Update key | PATCH /api/v1/keys/{key_id} |
| Delete key | DELETE /api/v1/keys/{key_id} |
All key management endpoints require the X-Org-ID header set to your organization ID.
JWT (session auth)
Section titled “JWT (session auth)”Browser-based clients authenticate via JWT tokens stored in httpOnly cookies. This is used by the console web app and is not recommended for programmatic API access.
- Access token: 15-minute TTL, set as
access_tokencookie - Refresh token: 30-day TTL, set as
refresh_tokencookie
JWTs are issued via OAuth (Google/GitHub) or magic link sign-in flows.
Organization context
Section titled “Organization context”API keys are bound to an organization. When authenticating with an API key, the organization is resolved automatically from the key.
When using JWT auth, pass the X-Org-ID header to specify which organization context to use.
Error responses
Section titled “Error responses”| Status | Meaning |
|---|---|
401 | Missing or invalid credentials |
402 | Insufficient credits in the billing account |
403 | Valid credentials but insufficient permissions |
See Error Codes for the full error response format.