OmnAPI API Key Authentication
API Keys
Section titled “API Keys”Authenticate every public API request by sending your OmnAPI API key in the
x-api-key HTTP header.
GET /api/v1/tasks/task_01H... HTTP/1.1Host: api.omnapi.comx-api-key: sk_live_...The public API does not accept API keys in the Authorization: Bearer header.
Public docs, SDKs, and Postman samples use x-api-key only; internal service
keys and operator-issued machine automation credentials are private runbook
material, not customer API credentials.
Auth error responses
Section titled “Auth error responses”| Status | code | Cause |
|---|---|---|
401 | UNAUTHORIZED | Header missing, malformed, or the key is no longer active. |
403 | FORBIDDEN | Key valid but not allowed for the requested resource or plan. |
429 | RATE_LIMITED | Active request limit exceeded — see Rate Limits. |
All auth failures return the shared error envelope:
{ "success": false, "error": { "code": "UNAUTHORIZED", "message": "Missing or invalid x-api-key" }}Getting a key
Section titled “Getting a key”- Sign in to the OmnAPI dashboard.
- Open Settings → API Keys.
- Click Create key, label it, then copy the displayed API key.
You will only see the API key once. Store it in a password manager or your platform’s secret store.
Rotating a key
Section titled “Rotating a key”- Create a new key first (so you have overlap).
- Update your application to the new key.
- Disable the previous key from the dashboard.
- After ≥ 24h of zero traffic on the previous key, delete it.
Scoping & limits
Section titled “Scoping & limits”OmnAPI applies default request limits to protect service stability. Higher production allowances can be reviewed with support; see Rate Limits.
Safe handling
Section titled “Safe handling”| Practice | Guidance |
|---|---|
| Server-side use | Recommended for production. Keep keys in a secret manager or environment variable. |
| Browser use | Avoid exposing production keys in public client code. The docs playground stores a key locally only for your own session. |
| Logging | Never log raw keys, request headers, or full webhook URLs containing secrets. |
| Rotation | Rotate keys periodically and immediately after any suspected exposure. |
The interactive playground keeps keys in the current browser session and sends
requests directly to api.omnapi.com.
Compromised key checklist
Section titled “Compromised key checklist”- Disable the key from the dashboard immediately.
- Review recent usage in Settings → Usage for unexpected calls.
- Rotate any keys derived from the same source (e.g., copy-pasted into shared workspaces).
- File a support ticket if you need help investigating unexpected usage.