Authorization request header.
API Key Authentication
API Key is the simplest authentication method, ideal for server-to-server direct calls.Usage
AddAuthorization: Bearer sk-pro-xxxx to the request header:
Characteristics
Use Cases
- Backend services calling AI capabilities
- Automation scripts and scheduled tasks
- Internal tools and management systems
- Development and testing
Security Best Practices
- Do not use API Keys in frontend code — browser-side code is visible to users
- Use environment variables to store keys; do not hardcode them in source code
- Set expiration times — choose an expiration period when creating the key in the Platform Console
- Assign scopes as needed — do not use full permissions
- Rotate regularly — periodically create new keys and revoke old ones
OAuth Bearer Authentication
OAuth authentication is suited for App scenarios that operate on behalf of users. Obtain an Access Token through the standard OAuth 2.0 Authorization Code flow.Usage
Characteristics
Use Cases
- Apps calling AI models on behalf of users
- Third-party applications requiring user authorization
- SaaS products with per-user billing
- Custom billing event reporting (
/v1/eventssupports OAuth only)
OAuth Flow Overview
Comparison
How to Choose
1
Determine the billing subject
If credits should be deducted from your own account → API KeyIf credits should be deducted from the user’s account → OAuth
2
Determine the calling pattern
If it’s a backend service calling directly → API KeyIf it’s an App acting on behalf of a user → OAuth
3
Determine feature requirements
If you need to use the Events API to report custom billing events → OAuthFor other scenarios, either method works
Authentication Errors
When authentication fails, the API returns the following errors:
Error response example:
Rate Limits
API calls are protected by rate limits. Limits are calculated per API Key or per user associated with the OAuth Token. When a rate limit is triggered, the API returns429 Too Many Requests:
Next Steps
API Key Management
Complete guide to creating, viewing, and revoking API Keys
OAuth Integration
Complete OAuth 2.0 integration flow

