Docs

Authentication

API key authentication, key rotation, and request hardening.

Authentication Header

Use only this header:

  • x-api-key: <API_KEY>

Request Security Baseline

  • Always use HTTPS.
  • Keep keys only on trusted servers.
  • Never expose project-level API keys in browser clients.
  • Rotate leaked keys immediately.

Key Rotation Workflow

  1. Create a new key in your control plane.
  2. Deploy backend with dual-key support during transition.
  3. Shift traffic to the new key.
  4. Revoke the old key.

Backend Proxy Recommendation

Do not call Open API directly from untrusted clients.

Recommended flow:

  1. Your client calls your backend.
  2. Your backend injects API key and forwards the request.
  3. Your backend handles retry, rate-limit backoff, and audit logging.

Common Authentication Failures

401 Unauthorized

Typical causes:

  • Missing API key header.
  • Invalid or revoked key.
  • Malformed x-api-key value.

403 Forbidden

Typical causes:

  • The API key is not authorized for Open API access.
  • The account is not eligible for the requested Open API route.

For project, upload, asset, and export routes, 403 OPEN_API_RUNTIME_ACCESS_FORBIDDEN means the current account cannot use that route right now.

Quick Checks

  • Ensure no leading or trailing spaces in keys.
  • Ensure the request points to the Open API base URL.
  • Confirm server clock and outbound network are healthy.

Last updated on

Quick Start

Submit your first export request in about five minutes.

Webhooks

Receive export start and result events safely.

On this page

Authentication HeaderRequest Security BaselineKey Rotation WorkflowBackend Proxy RecommendationCommon Authentication Failures401 Unauthorized403 ForbiddenQuick Checks