Skip to main content
API keys authenticate all BabySea public /v1 requests via the Authorization: Bearer <token> header. Manage them in the API keys section of the console. 
curl https://api.<your_region>.babysea.ai/v1/status \
  -H "Authorization: Bearer bye_your_api_key"

Access control

In a personal workspace, the sole owner manages all keys. In team workspaces, RBAC applies:
RoleAccess
primary-owner / ownerProvision, rotate, revoke, and delete keys
memberRead-only — view metadata and audit logs only

Key format and storage

Keys use the bye_ prefix followed by a Base64-encoded random value: 
bye_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9
BabySea stores only the first 9 characters (the prefix) and a one-way cryptographic hash. The raw key is never stored and is shown exactly once — at creation or rotation.
Store the key in your secrets manager before closing the dialog. It cannot be retrieved afterward.

Authentication flow

For every /v1 request, BabySea runs these checks in order:
1

Read the bearer token

Accepts Authorization: Bearer bye_... header.
2

Identify the key

Uses the key prefix to locate the key record.
3

Verify the key

Validates the cryptographic hash against the presented secret.
4

Check lifecycle state

Inactive or expired keys fail immediately.
5

Check the IP allowlist

If configured, rejects requests from unlisted IPs with BSE1007.
6

Check route scope

Verifies the key has the required scope for the requested endpoint.
All checks pass → request reaches the route handler.

Key status

StatusAuthenticatesMeaning
ActiveYesKey is live and valid
RotatedYes (until grace period ends)Old key within its overlap window
ExpiredNoExpiration timestamp reached
RevokedNoManually disabled
The grace period (1–168 hours, default 24h) is the overlap window after rotation where both old and new keys work.

Permission presets

Scopes are bound to a key at creation and cannot be changed. Choose the most restrictive preset your workload requires.
PresetScopes grantedBest for
Full AccessAll — read, write, deleteProduction API servers
Generate Onlygeneration:write, generation:read, library:readBackground workers that only start generations
Read Onlygeneration:read, account:read, health:read, library:readDashboards, usage readers
Monitor Onlyhealth:read, library:readUptime monitors, catalog browsers

Scope → endpoint mapping

ScopeEndpoints
generation:writePOST /v1/generate/image/{model}, POST /v1/generate/video/{model}
generation:readGET /v1/content/{id}, GET /v1/content/list
generation:deleteDELETE /v1/content/{id}, POST /v1/content/generation/cancel/{id}
account:readGET /v1/user/account, GET /v1/user/billing, GET /v1/usage, GET /v1/status
health:readGET /v1/health/inference/providers, GET /v1/health/inference/models, GET /v1/health/storage, GET /v1/health/cache
library:readGET /v1/library/providers, GET /v1/library/models, GET /v1/estimate/{model}
To change scopes, provision a new key with the desired preset, migrate your applications, then revoke the old key.

Create a key

Requires: primary-owner or owner role.
1

Open API keys

Navigate to API keys in the console sidebar.
2

Provision a new key

Click Create API key.
3

Enter a name

Up to 100 characters. Use descriptive names tied to the workload:
ExampleUse case
prod-api-workerProduction image generation backend
dev-frontendLocal development
staging-monitorStaging health checks
analytics-readerUsage dashboard
4

Choose a permission preset

Select a preset. Defaults to Full Access. Scopes are immutable after creation.
5

Optional — add an IP allowlist

Enter comma-separated IPs (max 50 entries, 45 chars each). Leave empty to allow all IPs.
203.0.113.10, 198.51.100.5, 2001:db8::1
6

Click Add

The button is disabled until a valid name is entered.
7

Store the key

BabySea shows the full key exactly once. Copy it to your secrets manager before closing.
bye_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9

Using your key

TypeScript
import { BabySea } from 'babysea';

const client = new BabySea({
  apiKey: process.env.BABYSEA_API_KEY,
  region: 'us',
});

const result = await client.generate('bfl/flux-schnell', {
  generation_prompt: 'A baby seal plays in Arctic',
});

Verify the key

Terminal
curl https://api.<your_region>.babysea.ai/v1/status \
  -H "Authorization: Bearer bye_your_api_key"
Requires account:read — available on Full Access and Read Only. For Generate Only keys, send a generation request instead.

Store it securely

.env
BABYSEA_API_KEY=bye_your_api_key
Never commit API keys to version control, embed them in client-side code, or share them in plaintext.

IP allowlist

Restrict a key to specific egress IPs. Requests from unlisted IPs are rejected with BSE1007 before reaching any route handler. Allowlists are immutable after creation — to update, provision a new key with the revised list, migrate, then revoke the old one.
RuleDetail
Match typeExact string match
Max entries50 IPs per key
Max length per IP45 characters
EmptyAll IPs allowed
Inherited on rotationYes
Raw IP loggedNever — SHA-256 hash only

Common setups

Single server
203.0.113.10
Multiple servers / load balancer
203.0.113.10, 203.0.113.11, 203.0.113.12
For serverless or dynamic egress environments, omit the allowlist and enforce least-privilege scopes instead.
Combine IP allowlists with the narrowest possible scope preset for defense in depth.

Rotation, revocation, and deletion

Rotate

Rotation replaces a key while keeping the old one active during a configurable grace period (1–168 hours, default 24h), so you can update applications without downtime.
1

Open rotation

In the API keys table, open the three-dot menu and select Rotate.
2

Choose a grace period

Options: 1h, 6h, 12h, 24h (default), 48h, 72h, 168h.
3

Store the new key

BabySea shows the new key once. Copy it before closing the dialog.
4

Deploy the new key

Update your secrets manager and redeploy your services.
5

Grace period expires

The old key stops authenticating automatically. No action needed.
The replacement key inherits the original’s name, scopes, and IP allowlist. Scopes are still immutable. Example quarterly rotation (default 24h grace):
  1. Mon 10:00 — Rotate prod-api-worker, copy new key
  2. Mon 10:05 — Update secrets manager
  3. Mon 10:10 — Deploy; services pick up new key
  4. Mon 10:30 — Verify with GET /v1/status
  5. Tue 10:00 — Grace period expires; old key stops working
Set a reminder before the grace period ends to confirm all services are on the new key.

Rotate vs. revoke

ActionOld keyNew keyUse when
RotateActive during grace periodYesPlanned refresh
RevokeDisabled immediatelyNoKey is compromised or leaked
If a key is compromised — revoke, don’t rotate.

Revoke

Revocation immediately disables the key. All requests return BSE1002 from that moment. The key and its logs remain visible in the table but the key cannot be reactivated.
Revocation is irreversible. To restore access, create a new key.

Delete

Deleting permanently removes the key and all associated request logs. The key is also immediately revoked if still active. Aggregate daily statistics are preserved in account analytics before deletion.
If you still need the audit logs, revoke instead of deleting. Deletion removes individual log entries permanently.

Action availability

ActionActiveRotatedExpiredRevoked
Rotate
Revoke
Delete

Usage tracking

BabySea records a Last used timestamp on every authenticated request. Keys that have never been used display No activity. Request metadata (endpoint, method, status code, SHA-256 hash of client IP) is logged for auditing. Raw IPs are never stored.

Error reference

CodeTypeMessageHTTP
BSE1001missing_api_keyMissing API key. Provide a valid key via the Authorization header.401
BSE1002invalid_api_keyInvalid or expired API key.401
BSE1003insufficient_permissionsAPI key does not have permission for this resource.403
BSE1007ip_not_allowedThis IP address is not in the allowlist for this API key.403
All errors include "retryable": false. To resolve BSE1003, provision a new key with a preset that includes the required scope.