X-API-Key header on every request.
Authenticated RPC request
Bearer in front of it.
Paid plans only
RPC needs a paid plan:starter, pro, or enterprise. A valid key on the free plan is rejected.
You can check the plan on a key with GET /auth/me on the REST API. See REST Authentication.
What errors mean
| Case | Response |
|---|---|
| You sent no key | 401 Unauthorized |
| The key is wrong or turned off | 401 Unauthorized |
| The key is valid but on the free plan | 403 Forbidden |
Free plan rejected
Good habits
- Keep secret keys (
sk_...) on your server, never in a browser. - Use a different key for each app or environment when you can.
- Make a new key if you think an old one leaked.