Skip to content

OmnAPI API Key Authentication

Authenticate every public API request by sending your OmnAPI API key in the x-api-key HTTP header.

GET /api/v1/tasks/task_01H... HTTP/1.1
Host: api.omnapi.com
x-api-key: sk_live_...

The public API does not accept API keys in the Authorization: Bearer header. Public docs, SDKs, and Postman samples use x-api-key only; internal service keys and operator-issued machine automation credentials are private runbook material, not customer API credentials.

StatuscodeCause
401UNAUTHORIZEDHeader missing, malformed, or the key is no longer active.
403FORBIDDENKey valid but not allowed for the requested resource or plan.
429RATE_LIMITEDActive request limit exceeded — see Rate Limits.

All auth failures return the shared error envelope:

{
"success": false,
"error": { "code": "UNAUTHORIZED", "message": "Missing or invalid x-api-key" }
}
  1. Sign in to the OmnAPI dashboard.
  2. Open Settings → API Keys.
  3. Click Create key, label it, then copy the displayed API key.

You will only see the API key once. Store it in a password manager or your platform’s secret store.

  1. Create a new key first (so you have overlap).
  2. Update your application to the new key.
  3. Disable the previous key from the dashboard.
  4. After ≥ 24h of zero traffic on the previous key, delete it.

OmnAPI applies default request limits to protect service stability. Higher production allowances can be reviewed with support; see Rate Limits.

PracticeGuidance
Server-side useRecommended for production. Keep keys in a secret manager or environment variable.
Browser useAvoid exposing production keys in public client code. The docs playground stores a key locally only for your own session.
LoggingNever log raw keys, request headers, or full webhook URLs containing secrets.
RotationRotate keys periodically and immediately after any suspected exposure.

The interactive playground keeps keys in the current browser session and sends requests directly to api.omnapi.com.

  1. Disable the key from the dashboard immediately.
  2. Review recent usage in Settings → Usage for unexpected calls.
  3. Rotate any keys derived from the same source (e.g., copy-pasted into shared workspaces).
  4. File a support ticket if you need help investigating unexpected usage.