Authentication
Every request to APIHub Star is authenticated with a bearer API key. Keys are scoped, environment-aware and fully auditable.
API keys
Pass your key in the Authorization header:
request
Authorization: Bearer ah_live_•••••••
Keys are prefixed by environment — ah_live_ for production and ah_test_ for sandbox — so they can never be confused.
Scopes
Grant the least privilege a key needs. Scopes are checked on every call.
chat:write— create completions and chat requestsembeddings:write— generate embeddingsanalytics:read— read usage and cost metricsadmin— manage keys, members and policies
Rotation & security
- Rotate keys with zero downtime — old and new keys overlap for a grace window.
- Set per-key IP allow-lists and rate limits.
- All key usage is written to an immutable audit log.
Never embed a live key in client-side code or a repository. Use environment variables or a secrets manager, and prefer short-lived keys for CI.