Authentication

Every request to /v1/* must include an Authorization header with a Bearer-prefixed InfraModels API key.

Authorization: Bearer im_live_<8 hex>_<64 hex>

Key format

The key is structured as four underscore-separated parts:

  • im — fixed namespace.
  • live or test — environment selector. Test keys are intended for staging and CI; live keys hit real providers and burn real credits.
  • 8 hex chars — the public prefix. Shown in the dashboard for identification.
  • 64 hex chars — 256 bits of secret entropy. Only shown once at creation.

Storage rules

  • We store an argon2id hash of the full key. The raw secret cannot be recovered after creation.
  • A key's key_prefix is indexed for fast lookup, so verification is one hash compare against one row.
  • If you lose the secret, revoke the key and create a new one. We can't retrieve it.

Pausing and revoking

From /api-keys you can pause a key (temporarily return 401) or revoke it permanently. Revocation cascades; existing cached sessions on your side won't work either.

Per-key permissions (optional)

Each key has a permission row that can restrict it to a subset of models or endpoints. By default keys have allow_all_models = true and allow_all_endpoints = true. Future UI exposes per-key narrowing.