Skip to main content

API Key Authentication

All API requests require a valid API key sent via the Authorization header using the Bearer scheme: 
Authorization: Bearer your-omniakey-api-key

Full Example

curl https://api.omniakey.com/v1/chat/completions \
  -H "Authorization: Bearer your-omniakey-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Using the SDK

When using an OpenAI-compatible SDK, pass your API key during client initialization: 
from openai import OpenAI

client = OpenAI(
    api_key="your-omniakey-api-key",   # or set OPENAI_API_KEY env var
    base_url="https://api.omniakey.com/v1"
)

Using Environment Variables

We recommend storing your API key in an environment variable rather than hardcoding it: 
export OMNIAKEY_API_KEY="your-omniakey-api-key"

import os
from openai import OpenAI

client = OpenAI(
    api_key=os.environ["OMNIAKEY_API_KEY"],
    base_url="https://api.omniakey.com/v1"
)

Managing API Keys

You can create, view, and revoke API keys from the Console.
  • Create multiple keys for different environments (development, staging, production)
  • Set spending limits per key to control costs
  • Revoke keys instantly if they are compromised

Error Responses

If authentication fails, the API returns a 401 Unauthorized error: 
{
  "error": {
    "message": "Invalid API key provided.",
    "type": "authentication_error",
    "code": "invalid_api_key"
  }
}
Common causes:
  • Missing or malformed Authorization header
  • Expired or revoked API key
  • API key does not have sufficient permissions

Security Best Practices

1

Never expose your API key in frontend code

Always call the API from your backend server. Never include API keys in client-side JavaScript, mobile apps, or public repositories.
2

Use environment variables

Store API keys in environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault). Never commit keys to version control.
3

Rotate keys regularly

Generate new API keys periodically and revoke old ones. This limits the impact if a key is accidentally exposed.
4

Use separate keys per environment

Create different API keys for development, staging, and production. This way, revoking a dev key won’t affect production.
5

Monitor usage

Review your API usage regularly in the Console to detect any unusual activity.