Skip to main content
Every request to the Overten API must carry a credential in the Authorization header. Which credential you use depends on the endpoint — this page explains the two schemes, when each applies, and how to manage your keys over time.

Authentication schemes

SchemeUsed byHeader
API key (sk_live_*)All generation, run, and file endpointsAuthorization: Bearer sk_live_...
Firebase ID token/signup and key-management endpointsAuthorization: Bearer <firebase_token>
The separation mirrors a typical developer workflow: you sign in as a human (Firebase) to bootstrap your account and manage keys, then your production code only ever sees the sk_live_* machine credential.

Key format

API keys have the format sk_live_<28 alphanumeric chars> and bill against your org. The raw secret is returned exactly once at creation time and cannot be retrieved later. If you lose a key, revoke it and mint a new one.

Signing up

Go from zero to a usable API key in one POST request.
1

Get a Firebase ID token

Sign in via the Overten dashboard or exchange your credentials with the Firebase web SDK. See Get an API key in the Quickstart for both flows.
2

Call POST /signup

Pass the Firebase token in the Authorization header along with your org details:
curl -X POST "https://backend.overtenai.com/api/v1/signup" \
  -H "Authorization: Bearer $FIREBASE_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "org_name": "Acme Docs",
    "tier": "free",
    "key_name": "primary"
  }'
The response contains org_id, secret (your sk_live_* key), and webhook_secret. Store the secret somewhere safe — it is shown only once.
If you already belong to a workspace in the Overten web app, pass existing_org_id instead of org_name. The signup will enable API access on that org rather than creating a second one.
3

Use the key

Pass the key in every request to a generation, run, or file endpoint:
Authorization: Bearer sk_live_...
See the sections below for how to create additional keys, rotate them, and revoke them.

Creating additional keys

Create a separate key for each service or deployment environment to limit the impact of a potential leak: 
curl -X POST "https://backend.overtenai.com/api/v1/organizations/$ORG_ID/api-keys" \
  -H "Authorization: Bearer $FIREBASE_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "name": "ci-tests" }'
The response mirrors /signup — the secret field is present exactly once.

Listing keys

Retrieve all keys for your org. Only the prefix is returned; the raw secret is never re-exposed, even to the key’s creator. 
GET /api/v1/organizations/{org_id}/api-keys
Authorization: Bearer <firebase_token>

{
  "items": [
    {
      "key_id": "key_abc123",
      "name": "primary",
      "prefix": "sk_live_4aT7",
      "created_at": "2026-04-17T11:20:00Z",
      "last_used_at": "2026-04-17T12:30:00Z",
      "revoked_at": null
    }
  ]
}

Revoking keys

Revocation takes effect immediately. Any subsequent request using that key returns 401 invalid_api_key. 
DELETE /api/v1/organizations/{org_id}/api-keys/{key_id}
Authorization: Bearer <firebase_token>
Returns 204 No Content.

Rotating keys

Keys have no expiry — they stay valid until you revoke them. To rotate a key without downtime:
  1. Mint a new key via POST /organizations/{org_id}/api-keys.
  2. Deploy the new key to your services.
  3. Once all traffic is using the new key, revoke the old one.

Security hygiene

Treat sk_live_* keys like database passwords. Use a secret manager — AWS Secrets Manager, Doppler, 1Password, Vault, and similar tools all work — rather than hardcoding secrets in environment files that get committed.
If you believe a key has leaked, revoke it immediately via the dashboard or the DELETE endpoint, then email support@overten.ai. We can audit the affected key’s usage history for anomalies.
One key per environment (production, staging, CI) limits the blast radius of a leak and lets you rotate each environment independently.
Any key belonging to an org has the same permissions on that org — we don’t currently support scoped keys that are limited to specific formats or endpoints. If you need per-key scoping, email us with your use case.

Verifying a key works

Before shipping, confirm the key is valid and wired up correctly with a lightweight call to GET /verify: 
curl "https://backend.overtenai.com/api/v1/verify" \
  -H "Authorization: Bearer $OVERTEN_API_KEY"

{
  "org_id": "org_xyz",
  "org_name": "Acme Docs",
  "tier": "free",
  "webhook_secret": "whsec_...",
  "key_prefix": "sk_live_4aT7"
}
/verify is the cheapest call in the API. Use it in health checks and startup probes to catch misconfigured credentials before they cause production failures.
Continue to Runs and tasks to understand how we model work, or jump straight to Format guides for end-to-end generation examples.