Authentication¶
Every request to the Companions API must be authenticated. Programmatic access uses an API key sent in the Authorization header:
The scheme keyword is ApiKey (not Bearer). Requests without a valid key are rejected with 401.
Keep your key secret
An API key carries your account's full programmatic access and spends your balance. Treat it like a password: store it in an environment variable or a secrets manager, never commit it to source control, and never expose it in client-side code.
Getting a key¶
API keys are minted from your account dashboard, or programmatically via POST /v1/account/keys. The plaintext key is shown exactly once at creation and is never retrievable again — copy it immediately. You can hold up to 5 active keys; revoke one to free a slot.
Using a key¶
Send the key on every request. The examples below read it from a COMPANIONS_API_KEY environment variable.
Rotating and revoking¶
Keys are independent — mint a fresh key, cut traffic over to it, then revoke the old one with DELETE /v1/account/keys/{key_id}. Revocation is immediate.