Skip to main content
All API requests (except /health) require a valid API key passed as a Bearer token.

Making authenticated requests

Include your API key in the Authorization header:

Obtaining API keys

Create and manage API keys from the API Keys page in the Omnifence dashboard. The full key value is shown once at creation — copy and store it securely; the dashboard will only display the prefix afterwards. Each key is owned by your account and inherits your organization’s rate limits and scopes.
Treat API keys as secrets. Do not commit them to version control or expose them in client-side code. If a key leaks, revoke it from the dashboard and create a new one.

How authentication works

When you send a request:
  1. The API hashes your key with its configured key hasher and looks it up in the apikey table.
  2. If the key is enabled and still valid, the API resolves your organization and loads your scopes.
  3. The request is processed; your account’s rate limits apply.
If the key is invalid, disabled, or missing, the API returns a 401 UNAUTHORIZED error.

Scopes

Each API key carries one or more scopes. The API enforces scopes at runtime — requests missing the required scope receive a 403 FORBIDDEN response. Client-created keys default to the client scope set (moderate:prompt, moderate:chat, moderate:image, moderate:video, job:read). Usage and billing are viewed and managed in the dashboard, not via the API. admin:config is reserved for staff access via the dashboard UI and is not issued to programmatic keys.
If your key is missing a required scope, the API returns 403 FORBIDDEN. Contact support if you need the scopes on your key adjusted.

Account termination

If your account has been terminated by an administrator (for example, after a manual review following repeated policy violations), all requests return a 403 ACCOUNT_TERMINATED error regardless of the API key used.