> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omnifence.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate requests with Bearer API keys

All API requests (except `/health`) require a valid API key passed as a Bearer token.

## Making authenticated requests

Include your API key in the `Authorization` header:

```bash theme={null}
curl https://api.omnifence.ai/api/v1/job/YOUR_JOB_ID \
  -H "Authorization: Bearer YOUR_API_KEY"
```

## Obtaining API keys

Create and manage API keys from the **API Keys** page in the [Omnifence dashboard](https://app.omnifence.ai/api-keys). The full key value is shown **once** at creation — copy and store it securely; the dashboard will only display the prefix afterwards.

Each key is owned by your account and inherits your organization's rate limits and scopes.

<Warning>
  Treat API keys as secrets. Do not commit them to version control or expose them in client-side
  code. If a key leaks, revoke it from the dashboard and create a new one.
</Warning>

## How authentication works

When you send a request:

1. The API hashes your key with its configured key hasher and looks it up in the `apikey` table.
2. If the key is enabled and still valid, the API resolves your organization and loads your scopes.
3. The request is processed; your account's rate limits apply.

If the key is invalid, disabled, or missing, the API returns a `401 UNAUTHORIZED` error.

## Scopes

Each API key carries one or more scopes. The API enforces scopes at runtime — requests missing the required scope receive a `403 FORBIDDEN` response.

| Scope             | Required for                                            |
| ----------------- | ------------------------------------------------------- |
| `moderate:prompt` | `POST /api/v1/moderate/prompt`                          |
| `moderate:chat`   | `POST /api/v1/moderate/chat`                            |
| `moderate:image`  | `POST /api/v1/moderate/image`                           |
| `moderate:video`  | `POST /api/v1/moderate/video`                           |
| `job:read`        | `GET /api/v1/job/{id}`, `GET /api/v1/job/{id}/progress` |

Client-created keys default to the client scope set (`moderate:prompt`, `moderate:chat`,
`moderate:image`, `moderate:video`, `job:read`). Usage and billing are viewed and managed in the
dashboard, not via the API. `admin:config` is reserved for staff access via the dashboard UI and is
not issued to programmatic keys.

<Note>
  If your key is missing a required scope, the API returns `403 FORBIDDEN`. Contact support if you
  need the scopes on your key adjusted.
</Note>

## Account termination

If your account has been terminated by an administrator (for example, after a manual review following repeated policy violations), all requests return a `403 ACCOUNT_TERMINATED` error regardless of the API key used.

```json theme={null}
{
  "error": "ACCOUNT_TERMINATED",
  "message": "Account has been terminated",
  "statusCode": 403
}
```
