Authentication
API Keys
Section titled “API Keys”All OmnAPI requests authenticate via the x-api-key HTTP header.
GET /api/v1/tasks/job_01H... HTTP/1.1Host: api.omnapi.comx-api-key: sk_live_...There is no Authorization: Bearer flow for the public API — that header is reserved for the dashboard session and not accepted by the gateway.
Getting a key
Section titled “Getting a key”- Sign in to omnapi.com.
- Open Settings → API Keys.
- Click Create key, label it, then copy the displayed secret.
You will only see the secret once. Store it in a password manager or your platform’s secret store.
Rotating a key
Section titled “Rotating a key”- Create a new key first (so you have overlap).
- Update your application to the new key.
- Disable the old key from the dashboard.
- After ≥ 24h of zero traffic on the old key, delete it.
Scoping & limits
Section titled “Scoping & limits”Each key carries:
- A per-second rate limit (default: shared with your plan tier)
- A per-day request budget
- A per-month request budget
0 on any field means unlimited within plan limits. See Rate Limits.
Security model
Section titled “Security model”| Stored in browser? | Sent with every request? | Visible to OmnAPI staff? | |
|---|---|---|---|
| Dashboard session cookie | Yes (httpOnly) | dashboard.omnapi.com only | No (encrypted) |
x-api-key from playground | Yes (localStorage) | docs playground only | No |
x-api-key server-side | Up to you | Yes | Hashed at rest |
The interactive playground stores keys only in your browser’s localStorage and sends them
direct to api.omnapi.com. The docs site server (docs.omnapi.com) never sees your key.
Compromised key checklist
Section titled “Compromised key checklist”- Disable the key from the dashboard immediately.
- Review recent usage in Settings → Usage for unexpected calls.
- Rotate any keys derived from the same source (e.g., copy-pasted into shared workspaces).
- File a support ticket if you suspect leak through OmnAPI infrastructure.