Home Documentation Authentication

API Authentication

Learn how to authenticate with the LLM Resayil API using API keys and Bearer tokens. Understand best practices for securing your credentials and managing your API keys.

Base URLs

The API supports three base URLs. Choose the one that best fits your use case:

URL Use Case
https://llmapi.resayil.io/v1/ Preferred OpenAI-compatible shorthand — ideal for OpenAI client libraries and any tool that targets the OpenAI API
https://llmapi.resayil.io/v1/ New Dedicated API hostname — a clean alternative for integrations that prefer a separate API domain
https://llmapi.resayil.io/v1/ Standard Standard path — retained for compatibility with existing integrations

Note: All three URLs point to the same API and support identical endpoints. We recommend https://llmapi.resayil.io/v1/ for new projects — it is shorter and drops directly into the OpenAI SDK base_url parameter. https://llmapi.resayil.io/v1/ is also available as a dedicated API hostname.

API Key Authentication

LLM Resayil uses Bearer token authentication with API keys. Every API request must include your API key in the Authorization header. API keys are permanent credentials associated with your account and can be managed from your dashboard.

How API Keys Work

When you create an API key:

  • It's account-specific: The key is tied to your account and inherits your subscription tier and credit limits.
  • It never expires: API keys are permanent until you manually revoke them.
  • It represents full access: Anyone with your key can make API requests and consume your credits.
  • Multiple keys allowed: You can create multiple keys for different applications or teammates.

Finding and Generating Keys

To manage your API keys:

  1. Log in to your LLM Resayil dashboard
  2. Navigate to API Keys in the left sidebar
  3. Click "Generate New Key" to create a new key
  4. Your key will display once—copy it immediately and store it securely

Important: API keys are displayed only once after creation. If you lose your key, you'll need to generate a new one. Save your keys in a secure location like a password manager.

Authorization Header Format

Every request to the LLM Resayil API must include an Authorization header with your API key in Bearer token format. The header must be formatted exactly as shown below:

Authorization Header 
Authorization: Bearer YOUR_API_KEY

Replace YOUR_API_KEY with your actual API key. The word "Bearer" must be included and is case-sensitive. A space must separate "Bearer" and your key.

Examples in Different Languages

cURL — preferred base URL (OpenAI-compatible)

bash 
curl -X POST https://llmapi.resayil.io/v1/chat/completions \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "mistral", "messages": [{"role": "user", "content": "Hello"}]}'

cURL — standard alternative base URL

bash 
curl -X POST https://llmapi.resayil.io/v1/chat/completions \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"model": "mistral", "messages": [{"role": "user", "content": "Hello"}]}'

JavaScript (fetch):

javascript 
const response = await fetch('https://llmapi.resayil.io/v1/chat/completions', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    model: 'mistral',
    messages: [{ role: 'user', content: 'Hello' }]
  })
});
const data = await response.json();

Python (requests):

python 
import requests

response = requests.post(
  'https://llmapi.resayil.io/v1/chat/completions',
  headers={
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  },
  json={
    'model': 'mistral',
    'messages': [{'role': 'user', 'content': 'Hello'}]
  }
)
data = response.json()

API Key Lifecycle

Understanding how to manage your API keys is crucial for security and operational continuity.

Key Generation

When you generate a new API key:

  • You'll see the key once on the confirmation screen
  • Copy and save it immediately—you won't see it again
  • The key is immediately active and ready to use
  • Multiple keys can be active simultaneously

Best Practices for Key Management

  • Never commit to version control: Store keys in environment variables or secret management tools, never in code or .env files checked into git.
  • Use different keys for different apps: Create separate keys for development, staging, and production environments.
  • Rotate keys regularly: Even if not compromised, rotate keys periodically for security hygiene.
  • Use minimal permissions: If your platform supports it, use keys with restricted access rather than full account access.
  • Monitor key usage: Regularly review which keys are active and revoke unused ones.

Revoking Keys

If you suspect a key has been compromised or you no longer need it:

  1. Go to API Keys in your dashboard
  2. Click "Revoke" next to the key you want to disable
  3. Confirm the revocation
  4. The key is immediately deactivated and cannot be used for new requests

After Revocation: Any requests using a revoked key will return a 401 Unauthorized error. If you're using this key in production, update your application to use a new key before revoking the old one.

Authentication Error Handling

If your authentication fails, you'll receive an error response. Here's how to diagnose and fix common auth issues:

Status Error Cause Solution
401 Unauthorized Missing, invalid, or malformed API key Check that Authorization header is present and formatted correctly. Verify your API key hasn't been revoked.
401 Invalid API Key The provided key doesn't exist or is invalid Generate a new key from your dashboard and update your application.
401 Key Revoked The API key has been revoked Generate a new key and deploy it to your application.
403 Forbidden Authenticated but not authorized (account suspended or tier issue) Check your account status and subscription tier in the dashboard.

401 Unauthorized Response Example

json — Error Response 
{
  "error": {
    "code": "invalid_api_key",
    "message": "Invalid API key provided.",
    "type": "authentication_error"
  }
}

Security Best Practices

1. Environment Variables

Always load your API key from environment variables, not from hardcoded strings or config files:

python 
import os
from openai import OpenAI

api_key = os.getenv('LLM_RESAYIL_API_KEY')

# Preferred: OpenAI-compatible shorthand
client = OpenAI(api_key=api_key, base_url='https://llmapi.resayil.io/v1')

# Alternative: dedicated API hostname
# client = OpenAI(api_key=api_key, base_url='https://llmapi.resayil.io/v1')

# Legacy: standard path (still supported)
# client = OpenAI(api_key=api_key, base_url='https://llmapi.resayil.io/v1')

2. HTTPS Only

Always use HTTPS when communicating with the LLM Resayil API. Never send API keys over unencrypted HTTP connections.

3. Request Authentication Headers

Use the Authorization header method shown above. Do not pass your API key as a query parameter.

4. Access Control

Limit which team members have access to your API keys. Provide different keys for different applications and teammates to minimize blast radius if a key is compromised.

5. Monitoring and Alerts

Regularly review your dashboard for suspicious activity. If you notice requests from unexpected IP addresses or unusual traffic patterns, revoke the relevant key immediately.