Authentication
Authenticate requests with a Bearer token or x-api-key header, depending on the client protocol.
Bearer token
OpenAI-compatible endpoints expect your Zunova API key in the Authorization header. This is the recommended mode for OpenAI SDKs and raw HTTP calls.
Authorization: Bearer sk-zn-xxxx
Content-Type: application/jsonx-api-key header
Some Anthropic-compatible clients expect x-api-key instead of Authorization. Use it only for endpoints or tools that explicitly require Anthropic-style authentication.
x-api-key: sk-zn-xxxx
anthropic-version: 2023-06-01
Content-Type: application/jsonKeep keys server-side
Treat Zunova keys like production secrets. Never ship them inside browser bundles, mobile apps, public repositories, screenshots, or client-only configuration files.
- Use environment variables in your backend or serverless runtime.
- Create separate keys for development, staging, and production.
- Use short-lived deployment secrets when available from your hosting provider.
- Proxy browser requests through your own backend if the user interface needs to call AI features.
Key rotation workflow
- Create a replacement key in Dashboard → Keys.
- Deploy the new key to your server environment.
- Verify successful requests in Dashboard → Requests.
- Disable or delete the old key after traffic has moved over.
- Rotate immediately if a key was exposed in logs, commits, screenshots, or client code.
Authentication errors
| Status | Code | Meaning |
|---|---|---|
401 | unauthorized | Authorization header is missing, malformed, or contains an invalid key. |
401 | unauthorized | x-api-key is missing or invalid for Anthropic-compatible endpoints. |
403 | forbidden | The key exists but is not allowed to access the requested feature or model. |
429 | quota_exceeded | The key is valid but the account has reached plan limits. |