[ Docs ]

Authentication

Bearer authentication for the IdonAI API — prepare now; keys ship later.

Status

API keys are under development. When keys ship, create and revoke them from the account surface we publish — until then, prepare integrations against the contract below.

There is no public key dashboard today. Do not expect self-serve issuance, rotation UI, or usage graphs until we announce them.

Bearer header

All authenticated requests use an Authorization header with a Bearer token:

typescript
curl https://api.idonai.com/v1/chat/completions \
  -H "Authorization: Bearer $IDONAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "origin",
    "messages": [{"role": "user", "content": "Hello."}]
  }'

Missing or invalid credentials return 401 unauthorized. A valid key without permission for a model or action returns 403 forbidden. See the API reference for the full error table.

Environment variables

Store keys outside source control. Common patterns:

typescript
# shell / CI
export IDONAI_API_KEY="..."

# .env (never commit)
IDONAI_API_KEY=...

SDK sketches read IDONAI_API_KEY (or an explicit constructor argument). Prefer env injection in production so secrets never land in images or client bundles.

Never ship keys to the browser

  • Do not embed API keys in frontend JavaScript, mobile apps, or public repos
  • Call IdonAI from your backend, edge function, or trusted worker
  • If you need a browser demo, proxy through your own authenticated API

Browser-exposed keys are effectively public. Treat any key that has touched a client as compromised once keys exist.

  • Use separate keys for development and production when that surface exists
  • Scope access to the minimum models and environments you need
  • Rotate keys after staff changes or suspected exposure
  • Log request ids and status codes — never log the raw Bearer token

Enterprise authentication

Enterprise customers can discuss SSO, audit logging, and committed capacity. Contact enterprise or email enterprise@idonai.com.