Authentication
Every public endpoint requires an X-API-Key header. Keys are long-lived bearer secrets minted from the dashboard.
Every public endpoint requires an X-API-Key header. There is no OAuth, no
session cookie, no Authorization: Bearer flow on the public API.
Header format
X-API-Key: neuro_a1b2c3d4e5f6...Keys look like neuro_<random>. The leading neuro_<8 chars> is the
public prefix - that's what we display in dashboards, logs and the
key_prefix field on /health. The full secret is only ever shown
once, at creation time.
Mint a key
Open the dashboard → API Keys.
Click Create key, label it (e.g. prod-server, local-laptop).
Copy the secret immediately. Store it somewhere only your service can read: a Vault, a secret manager, environment variables on the server.
Lost a key? Revoke it and mint a new one - we can't recover plaintext.
Verify a key
The fastest way to confirm a key works:
curl -s https://api.neurobro.ai/api/v1/health \
-H "X-API-Key: $NEUROAPI_KEY" | jq .authenticated
# → true/health is free. Use it as a smoke test in deploy pipelines.
Rotate a key
Mint the new key, deploy it alongside the old one, switch traffic, then
revoke the old one from the dashboard. Revoked keys return 401 on the
next request. There is no grace period.
What gets logged
We log the prefix only. The full secret is never written to logs, dashboards, or error reports. Error-tracking payloads are scrubbed before being sent off-platform.
Common mistakes
Authorization: Bearer ...- wrong header. UseX-API-Key.- Trailing whitespace or newlines -
curl ... -H "X-API-Key: $KEY"is safe;echo $KEY | curloften isn't. - Wrong host - public traffic goes to
api.<DOMAIN>, not the dashboard host. - Calling without an active plan - auth succeeds, but billing-gated
endpoints return
402.