Overview/OpenAPI/Authentication

Authentication

How API keys are sent, validated, and handled in error cases.

Authentication Method

All business endpoints accept a user-level API key in the header:

X-KGP-Api-Key: <your_api_key>

If you do not have a key yet, first activate and copy it from the main site's API Key page.

Which Endpoint Comes First

Call this first:

GET /me

It is used to:

validate the current key
confirm the key can manage creations
confirm you are operating under the right user's key

Base Rules

/health does not require auth
/catalog and /creations* require a user API key
do not skip /me and jump straight to creation

How the Server Should Handle Keys

store keys per user
do not write full keys into logs
do not proxy all users through one shared key
only display prefixes in error surfaces

Common Error Handling

invalid key: ask the user to check or reactivate it
insufficient permission: do not continue to creation
insufficient credits: route the user back to the main site

About Key Management

The public OpenAPI does not activate, rotate, or invalidate keys.

Users should manage those actions on the main site through the dedicated API Key page opened from the account avatar menu.

Previous

Quickstart

Next

Explainer Video