Authentication
How it works
All API requests are authenticated with an API key passed in the Authorization header as a Bearer token. API keys are tied to your user account and billing plan usage deducts from your credit balance.
Creating an API key
- Log in and navigate to /api-keys
- Click "Create key" and give it a name (e.g., "Production app")
- Optionally set a credit budget to cap this key's usage
- Copy the key immediately it's shown in plain text only once
API key format: gomni_<64 hex chars>
Using the key
Authorization: Bearer gomni_abc123...
Every API request must include this header. Requests without a valid API key return 401 Unauthorized.
Security best practices
- → Store API keys in environment variables, never in source code
- → Use separate keys per environment (development, staging, production)
- → Set credit budgets on keys that will be used by external users
- → Rotate keys immediately if you suspect a leak revoke and create a new one in /api-keys
- → Never expose API keys in client-side JavaScript or mobile app binaries