[ Docs ]
Authentication
Bearer authentication for the IdonAI API — prepare now; keys ship later.
Status
API keys are under development. When keys ship, create and revoke them from the account surface we publish — until then, prepare integrations against the contract below.
There is no public key dashboard today. Do not expect self-serve issuance, rotation UI, or usage graphs until we announce them.
Bearer header
All authenticated requests use an Authorization header with a Bearer token:
curl https://api.idonai.com/v1/chat/completions \
-H "Authorization: Bearer $IDONAI_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "origin",
"messages": [{"role": "user", "content": "Hello."}]
}'
Missing or invalid credentials return 401 unauthorized. A valid key without permission for a model or action returns 403 forbidden. See the API reference for the full error table.
Environment variables
Store keys outside source control. Common patterns:
# shell / CI
export IDONAI_API_KEY="..."
# .env (never commit)
IDONAI_API_KEY=...
SDK sketches read IDONAI_API_KEY (or an explicit constructor argument). Prefer env injection in production so secrets never land in images or client bundles.
Never ship keys to the browser
- Do not embed API keys in frontend JavaScript, mobile apps, or public repos
- Call IdonAI from your backend, edge function, or trusted worker
- If you need a browser demo, proxy through your own authenticated API
Browser-exposed keys are effectively public. Treat any key that has touched a client as compromised once keys exist.
Recommended practices
- Use separate keys for development and production when that surface exists
- Scope access to the minimum models and environments you need
- Rotate keys after staff changes or suspected exposure
- Log request ids and status codes — never log the raw Bearer token
Enterprise authentication
Enterprise customers can discuss SSO, audit logging, and committed capacity. Contact enterprise or email enterprise@idonai.com.