Authentication

Learn how to authenticate your API requests using API keys.

Overview

All API endpoints (except /api/v1/health) require authentication. Vydra uses API keys with Bearer token authentication.

API Key Format

API keys follow the format: vydra_live_user_[userId]_[randomString]

Creating API Keys

You can create API keys from your dashboard or via the API itself (session authentication required).

Via Dashboard

Sign in to your Vydra account
Navigate to Settings → API Keys
Click "Create New Key"
Give your key a name and optional expiration
Copy and securely store your key - it won't be shown again!

Via API

Create API Keybash

"text">-purple-600">curl "text-blue-600">-X POST https://vydra.app/api/v1/api"text-blue-600">-keys \
  "text-blue-600">-H "Content">-Type: application/json" \
  "text-blue-600">-H "Cookie: __session=YOUR_SESSION_COOKIE" \
  "text-blue-600">-d '{
    "name": "My Production Key",
    "expiresInDays": 90
  }'

Important

The full API key is only returned once when created. Store it securely immediately. If you lose it, you'll need to create a new key.

Using API Keys

Include your API key in the Authorization header as a Bearer token:

Authentication Examples

"text">-purple-600">curl https://vydra.app/api/v1/models \
  "text-blue-600">-H "Authorization: Bearer vydra_live_user_abc_X7kM9pQ..."

API Key Response Format

When you create an API key, you'll receive a response like this:

Create Key Responsejson

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "key": "vydra_live_user_abc_X7kM9pQ...",
  "keyPrefix": "vydra_live_use...",
  "message": "Store this key securely. It will not be shown again."
}

Response Fields

Name	Type	Description
`id`	`string`	Unique identifier for the API key (UUID)
`key`	`string`	The full API key - only shown once!
`keyPrefix`	`string`	Truncated prefix for identification
`message`	`string`	Reminder to store the key securely

API Key Scopes

API keys can be restricted to specific operations using scopes. By default, keys are created with full access.

Scope	Description
`*`	Full access (default)
`models:*`	All model operations
`models:read`	List models only
`models:write`	Generate/edit with models
`jobs:*`	All job operations
`upload:*`	Upload files
`account:read`	Read account info

Managing API Keys

List Your Keys

"text">-purple-600">curl https://vydra.app/api/v1/api"text-blue-600">-keys \
  "text-blue-600">-H "Authorization: Bearer YOUR_API_KEY"

Revoke a Key

"text">-purple-600">curl "text-blue-600">-X DELETE https://vydra.app/api/v1/api"text-blue-600">-keys/KEY_ID \
  "text-blue-600">-H "Authorization: Bearer YOUR_API_KEY"

Warning

Revoking an API key is permanent and cannot be undone. Any applications using the revoked key will immediately lose access.

Authentication Errors

These errors may occur during authentication:

Status	Code	Description
`401`	`MISSING_AUTH`	No Authorization header provided
`401`	`INVALID_FORMAT`	Invalid API key format
`401`	`KEY_NOT_FOUND`	API key doesn't exist
`401`	`KEY_REVOKED`	API key was revoked
`401`	`KEY_EXPIRED`	API key has expired
`403`	`INSUFFICIENT_SCOPE`	Key lacks required permission

Best Practices

🔐 Keep Keys Secret

Never expose API keys in client-side code, public repositories, or logs. Use environment variables to store keys securely.

🔄 Rotate Regularly

Periodically create new API keys and revoke old ones, especially if you suspect a key may have been compromised.

🎯 Use Minimal Scopes

Create keys with only the permissions they need. A key used only for listing models doesn't need write access.

📅 Set Expiration

For temporary integrations or testing, set an expiration date on your API keys to ensure they're automatically disabled.