Authentication
Every request to /v1/* must include an Authorization header with a Bearer-prefixed InfraModels API key.
Authorization: Bearer im_live_<8 hex>_<64 hex>
Key format
The key is structured as four underscore-separated parts:
im— fixed namespace.liveortest— environment selector. Test keys are intended for staging and CI; live keys hit real providers and burn real credits.- 8 hex chars — the public prefix. Shown in the dashboard for identification.
- 64 hex chars — 256 bits of secret entropy. Only shown once at creation.
Storage rules
- We store an
argon2idhash of the full key. The raw secret cannot be recovered after creation. - A key's
key_prefixis indexed for fast lookup, so verification is one hash compare against one row. - If you lose the secret, revoke the key and create a new one. We can't retrieve it.
Pausing and revoking
From /api-keys you can pause a key (temporarily return 401) or revoke it permanently. Revocation cascades; existing cached sessions on your side won't work either.
Per-key permissions (optional)
Each key has a permission row that can restrict it to a subset of models or endpoints. By default keys have allow_all_models = true and allow_all_endpoints = true. Future UI exposes per-key narrowing.