Skip to main content
API keys authenticate every BabySea public /v1 request. Each key belongs to one BabySea account and is sent in the Authorization: Bearer ... header.

What you see in API keys

The workspace page at API keys is the control surface for key creation and key lifecycle management. The page includes:
  • The page title API keys.
  • The button Create API key.
  • An icon button with the tooltip Open full view.
  • A search field with the placeholder Search....
  • A table with the columns API name, Prefix, Last used, Created, Status, and IP allowlist.
  • A row action menu that can show Rotate, Revoke, Rotated, and Delete, depending on the key state.
If the table has no keys yet, the page shows No data available and the helper text Generate API keys to authenticate requests and start generating contents.

Who can manage keys

API keys are account-bound.
  • In a personal account, the account owner can create and manage keys for that account.
  • In a team workspace, primary-owner and owner can create, rotate, revoke, and delete keys.
  • In a team workspace, member has view-only access to the page.

Key format and storage model

BabySea generates keys with the bye_ prefix. 
bye_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9
The raw key is shown only once when you create or rotate it. After that, BabySea keeps only:
  • a 9-character key_prefix for lookup and dashboard display
  • a bcrypt hash for secret verification
That design lets the dashboard identify a key without storing the raw secret. 
Prefix shown in dashboard: bye_a1B2c...
Full key shown once:       bye_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9

How authentication works

Send the key in the Authorization header:
Terminal
curl https://api.us.babysea.ai/v1/status \
  -H "Authorization: Bearer bye_your_api_key"
Or with the SDK:
TypeScript
import { BabySea } from 'babysea';

const client = new BabySea({
  apiKey: 'bye_your_api_key',
  region: 'us',
});
For each authenticated /v1 request, BabySea performs this flow before the request is allowed to continue:
1

Read the bearer token

BabySea accepts API key authentication when the Authorization header starts with Bearer bye_....
2

Identify the key

BabySea uses the key prefix to identify the presented key.
3

Verify the key

BabySea verifies that the presented key is valid. The full key value is shown only when you create or rotate it.
4

Check lifecycle state

Inactive keys and expired keys fail authentication.
5

Check the IP allowlist

If the key has an IP allowlist, BabySea checks whether the request IP is permitted.
6

Check route scope

Each /v1 route enforces the scope it requires, such as account:read for GET /v1/status.
If all checks pass, the request reaches the public /v1 route handler.

Status and lifecycle

The Status column reflects the current authentication state of the key.
StatusMeaning
ActiveThe key is active and can authenticate requests.
RotatedThe old key was rotated and is still inside its grace period.
ExpiredThe key reached its expires_at timestamp and no longer authenticates.
RevokedThe key was manually disabled and no longer authenticates.
The grace period is the overlap window after rotation when both the replacement key and the old key can still be used. In the dashboard, that value is selectable from 1 hour to 168 hours, with 24 hours preselected.

Permission presets

When you create a key, the Permissions section shows these presets:
PresetDashboard description
Full AccessAll permissions - read, write, delete
Generate OnlyCreate & read generations + browse models
Read OnlyRead generations, account info, health - no spending
Monitor OnlyHealth checks & model catalog - no account data
These presets map to the route scopes documented in Scopes.

One-time key display

The full secret is displayed exactly once in the dialog View API key after creation, and once again in Key rotated successfully after rotation. If you close the dialog without storing the value, BabySea cannot show the raw key again. Your recovery path is to:
  • rotate the key and replace the old secret in your applications
  • delete the key and create another one

Common authentication errors

These errors appear when authentication or authorization fails before the route completes:
CodeMessage
BSE1001Missing API key. Provide a valid key via the Authorization header.
BSE1002Invalid or expired API key.
BSE1003API key does not have permission for this resource.
BSE1007This IP address is not in the allowlist for this API key.

Next steps

  • Create a key - Follow the dashboard flow from Create API key to View API key
  • Scopes - Match each permission preset to the public /v1 routes it can use
  • IP allowlist - Restrict a key to exact source IP addresses
  • Rotation - Manage grace periods, revocation, and deletion