Skip to content
powapi
Documentation

Authentication

Every request carries a single API key. Keys are scoped to a tenant and a metering mode. Two header forms are accepted — pick whichever your client speaks natively.

#Header forms

OpenAI-shaped clients send Authorization. Anthropic SDK clients (and Claude Code) send x-api-key. Both work everywhere; if both are present, x-api-key wins.

http
Authorization: Bearer pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# — or —
x-api-key: pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

#Two key types

  • subscriptionruns against your monthly quota window on tool-tuned routes (/claudecode, /cline, /cursor, /roocode). Rejects with 429 when you exhaust the 24h sliding window.
  • pay-per-tokendraws down your prepaid USD balance per request. Works on both tool-tuned routes and the generic /v1 routes. Rejects with 402 when balance hits zero.

#Key safety

Keys grant full access to billable usage on your tenant. Treat them like passwords: rotate from the dashboard if leaked, never commit to a repository, and use one key per environment so you can revoke without breaking other surfaces.