Authentication

API keys

Keys are created and revoked inDashboard → API keys and carry therender:write scope. A key is shown once at creation and stored only as a hash — if you lose it, revoke it and create a new one. Live keys are prefixed sk_live_.

Using your key

Pass the key as a Bearer token in the Authorization header on every call:

Authorization: Bearer sk_live_...

Each successful render costs one credit. A missing or invalid key returns 401 unauthorized; out of credits returns402 payment_required (see Errors).

Keeping keys safe

• Keep keys server-side — never ship them in a browser, mobile app, or public repo.
• Use a separate key per environment or service so you can revoke one without breaking the rest.
• Rotate by creating a new key, switching traffic over, then revoking the old one.

Manage rate limits and credits next, or jump to the full render reference.