Authentication
Learn how to authenticate your API requests and manage API keys securely.
API Keys
All API requests require authentication using an API key. You can create and manage API keys from your Dashboard.
API keys come in two types:
- Live keys (
sk_live_) — For production use - Test keys (
sk_test_) — For development and testing
Using API Keys
Include your API key in the Authorization header of every request:
Authorization: Bearer YOUR_API_KEYExample Request
curl https://api.abstrakt.one/v1/models/fal-ai/flux/schnell/run \
-H "Authorization: Bearer sk_live_xxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"input": {"prompt": "Hello world"}}'Environment Variables
Never hardcode API keys in your source code. Use environment variables instead:
.env.local
ABSTRAKT_API_KEY=sk_live_xxxxxxxxxxxxxJavaScript/TypeScript
const abstrakt = new Abstrakt({
apiKey: process.env.ABSTRAKT_API_KEY
});Python
import os
from abstrakt import Abstrakt
client = Abstrakt(api_key=os.environ["ABSTRAKT_API_KEY"])Security Best Practices
Keep your keys secret
Never share API keys in public repositories, client-side code, or with unauthorized users.
Use environment variables
Store API keys in environment variables, not in your codebase.
Rotate keys regularly
Create new keys periodically and revoke old ones.
Use separate keys for environments
Use test keys for development and live keys only in production.
Set up IP allowlists
Restrict API key usage to specific IP addresses when possible.
Monitor usage
Set up alerts for unusual activity or unexpected usage spikes.
Key Permissions
You can configure granular permissions for each API key:
| Permission | Description |
|---|---|
| models:read | List and view model information |
| models:run | Execute model inference |
| jobs:read | View job status and results |
| jobs:write | Create and cancel jobs |
| webhooks:manage | Create and manage webhooks |
Authentication Errors
If authentication fails, you'll receive one of these error responses:
401 Unauthorized — Missing or invalid API key
{
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid API key provided"
}
}403 Forbidden — Key lacks required permissions
{
"error": {
"code": "FORBIDDEN",
"message": "API key does not have permission for this action"
}
}