API basics
Authentication
Authenticate TokenAir API requests with bearer tokens and keep keys safe.
API key format
TokenAir API requests use bearer token authentication. Treat API keys like passwords. Do not place them in browser code, public Git repositories, issue trackers, screenshots, or client-side logs.
Create or view a key
- Log in to the TokenAir Console.
- Open API Key Management in the left sidebar.
- Select Create Token.
- Enter a token name. Token names should be 6-25 characters.
- Optionally restrict the key with Model Authorization or IP Authorization if those controls are available for your account.
- Create the token, then use Copy full API Key and store the value in your secret manager.
- Use the key in server-side code through an environment variable.
Regular users should see Overview, API Key Management, Recharge Records, and Consumption Records. Provider, model administration, and offline recharge tools are administrator-only and are not part of the public integration flow.
Server-side use
export TOKENAIR_API_KEY="your_tokenair_api_key"Read this value from your server runtime. Never expose it in a public web bundle.
Rotation
Rotate keys when a teammate leaves, a key appears in logs, or a deployment environment changes. Keep old and new keys active only as long as needed to complete the rollout.
Disable a key
API Key Management includes a status control for keys. Disable a key when it is no longer used, then watch your application logs for 401 responses before deleting old deployment secrets.