NeuroAPI

Authentication

Every public endpoint requires an X-API-Key header. Keys are long-lived bearer secrets minted from the dashboard.

Every public endpoint requires an X-API-Key header. There is no OAuth, no session cookie, no Authorization: Bearer flow on the public API.

Header format

X-API-Key: neuro_a1b2c3d4e5f6...

Keys look like neuro_<random>. The leading neuro_<8 chars> is the public prefix - that's what we display in dashboards, logs and the key_prefix field on /health. The full secret is only ever shown once, at creation time.

Mint a key

Open the dashboard → API Keys.

Click Create key, label it (e.g. prod-server, local-laptop).

Copy the secret immediately. Store it somewhere only your service can read: a Vault, a secret manager, environment variables on the server.

Lost a key? Revoke it and mint a new one - we can't recover plaintext.

Verify a key

The fastest way to confirm a key works:

curl -s https://api.neurobro.ai/api/v1/health \
  -H "X-API-Key: $NEUROAPI_KEY" | jq .authenticated
# → true

/health is free. Use it as a smoke test in deploy pipelines.

Rotate a key

Mint the new key, deploy it alongside the old one, switch traffic, then revoke the old one from the dashboard. Revoked keys return 401 on the next request. There is no grace period.

What gets logged

We log the prefix only. The full secret is never written to logs, dashboards, or error reports. Error-tracking payloads are scrubbed before being sent off-platform.

Common mistakes

  • Authorization: Bearer ... - wrong header. Use X-API-Key.
  • Trailing whitespace or newlines - curl ... -H "X-API-Key: $KEY" is safe; echo $KEY | curl often isn't.
  • Wrong host - public traffic goes to api.<DOMAIN>, not the dashboard host.
  • Calling without an active plan - auth succeeds, but billing-gated endpoints return 402.

On this page