Authentication

All NovaKit API requests require authentication using Bearer tokens. This guide covers API key management, scopes, and security best practices.

API Key Format

NovaKit API keys follow this format:

sk_<64_hexadecimal_characters>

Example: sk_a1b2c3d4e5f6... (64 hex characters total)

Making Authenticated Requests

Include your API key in the Authorization header:

curl -X POST https://www.novakit.ai/api/v1/chat/completions \
  -H "Authorization: Bearer sk_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"messages": [{"role": "user", "content": "Hello"}]}'

import requests
import os

response = requests.post(
    "https://www.novakit.ai/api/v1/chat/completions",
    headers={
        "Authorization": f"Bearer {os.environ['NOVAKIT_API_KEY']}",
        "Content-Type": "application/json"
    },
    json={"messages": [{"role": "user", "content": "Hello"}]}
)

const response = await fetch(
  "https://www.novakit.ai/api/v1/chat/completions",
  {
    method: "POST",
    headers: {
      "Authorization": `Bearer ${process.env.NOVAKIT_API_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      messages: [{ role: "user", content: "Hello" }]
    }),
  }
);

API Key Scopes

Each API key can be limited to specific capabilities using scopes. This allows you to create restricted keys for different applications.

Creating API Keys

1. Go to Dashboard → Settings → API Keys
2. Click Create New Key
3. Enter a name to identify the key
4. Select the scopes you need
5. Optionally set an expiration date
6. Click Create and copy your key immediately

Key Expiration

API keys can be configured with an expiration date:

• No expiration - Key works indefinitely until revoked
• Custom date - Key automatically stops working after the set date

Expired keys return a 401 Unauthorized error with the message "API key has expired".

Revoking Keys

To revoke an API key:

1. Go to Dashboard → Settings → API Keys
2. Find the key you want to revoke
3. Click the Revoke button
4. Confirm the action

Error Responses

Missing or Invalid Key

{
  "error": "Invalid or missing API key"
}

Status: 401 Unauthorized

Expired Key

{
  "error": "API key has expired"
}

Status: 401 Unauthorized

Missing Scope

{
  "error": "API key does not have required scope: chat"
}

Status: 403 Forbidden

Quota Exceeded

{
  "error": "Quota exceeded for chat_tokens"
}

Status: 402 Payment Required

Security Best Practices

Do's

• Store API keys in environment variables
• Use different keys for development and production
• Create keys with minimum required scopes
• Set expiration dates for temporary access
• Rotate keys periodically
• Monitor key usage in the dashboard

Don'ts

• Never commit API keys to version control
• Don't share keys in public forums or chat
• Don't embed keys in client-side code
• Don't use a single key across all applications

Environment Variables

We recommend storing your API key in environment variables:

# .env.local (never commit this file)
NOVAKIT_API_KEY=sk_your_api_key

Then access it in your code:

import os
api_key = os.environ.get("NOVAKIT_API_KEY")

const apiKey = process.env.NOVAKIT_API_KEY;

apiKey := os.Getenv("NOVAKIT_API_KEY")

OpenAI SDK Compatibility

NovaKit is compatible with the OpenAI SDK. Just change the base URL:

from openai import OpenAI

client = OpenAI(
    api_key="sk_your_novakit_key",
    base_url="https://www.novakit.ai/api/v1"
)

Client Identification

You can identify your application in requests for better analytics:

curl -X POST https://www.novakit.ai/api/v1/chat/completions \
  -H "Authorization: Bearer sk_your_api_key" \
  -H "X-Client-Name: my-app" \
  -H "Content-Type: application/json" \
  -d '...'

Supported headers:

• X-NovaKit-Client - Client identifier
• X-Client-Name - Application name
• User-Agent - Detected automatically (e.g., novakit-cli/1.0)