Skip to main content
API keys authenticate requests to the BabySea public /v1 API. Every authenticated call uses the Authorization: Bearer ... header, and each key belongs to one BabySea account.

What you see in API keys

The workspace page at API keys shows:
  • The page title API keys.
  • The button Create API key.
  • A search field.
  • A table with the columns API name, Prefix, Last used, Created, Status, and IP allowlist.
  • A row action menu with Rotate, Revoke, and Delete when those actions are available for that key.
Members can view the page, but create and management actions are limited to workspace owners.

Key format

BabySea generates keys with the bye_ prefix. The stored record also keeps a short prefix for dashboard display and lookup. 
bye_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9
The full secret is shown once when you create or rotate the key. After that, the dashboard only shows the short prefix in the table.

How authentication works

Pass your API key in the Authorization header with the Bearer scheme:
Terminal
curl https://api.us.babysea.ai/v1/status \
  -H "Authorization: Bearer bye_your_api_key"
Or using the SDK:
TypeScript
import { BabySea } from 'babysea';

const client = new BabySea({
  apiKey: 'bye_your_api_key',
  region: 'us',
});
When BabySea receives your request, it performs these checks before allowing the route to continue:
1

Read the header

BabySea reads the Authorization: Bearer bye_... header from the request.
2

Locate the key record

BabySea looks up the stored key record using the key prefix.
3

Verify the secret

BabySea compares the presented key against a stored bcrypt hash. The raw key is never stored in the database.
4

Check the key state

BabySea rejects inactive or expired keys.
5

Check scopes

BabySea confirms the key has the scope required by the route.
6

Check the IP allowlist

If the key has stored allowed IPs, BabySea checks the request IP against that list.
If all checks pass, the request continues to the /v1 route handler.

Key prefix

The first 9 characters of each key are stored as the key prefix and displayed in the dashboard. This lets you identify a key without exposing the full secret. 
Prefix shown in dashboard:  bye_a1B2c
Full key (shown once only): bye_a1B2c3D4e5F6g7H8i9J0k1L2m3N4o5P6q7R8s9
The prefix appears in the API keys table and can also be used to identify related activity later.

One time display

For security, the full API key is displayed exactly once when you create or rotate the key. After you dismiss that dialog, the raw value cannot be retrieved again. If you lose your key, you need to either:
  • Rotate the key and replace the old secret in your applications.
  • Delete the key and create a new one.

Scopes and account binding

Each API key is bound to one account. Requests made with that key run inside that account’s data boundary. When you create a key in the dashboard, you choose one of these permission presets:
PresetDashboard description
Full AccessAll permissions - read, write, delete
Generate OnlyCreate & read generations + browse models
Read OnlyRead generations, account info, health - no spending
Monitor OnlyHealth checks & model catalog - no account data
These presets map to the route scopes documented in Scopes.

Status column

The Status column can show these values:
StatusMeaning
ActiveThe key can authenticate requests.
RotatedThe key was rotated and is still inside the current 24 hour replacement window.
ExpiredThe key can no longer authenticate.
RevokedThe key was manually disabled and can no longer authenticate.

Common authentication errors

The API key system is directly connected to the route permission checks. These are the main errors users will see when a key cannot be used:
CodeMeaning
BSE1001Missing API key. Provide a valid key via the Authorization header.
BSE1002Invalid or expired API key.
BSE1003API key does not have permission for this resource.
BSE1007This IP address is not in the allowlist for this API key.

Next steps

  • Create - Step by step guide to creating your first API key
  • Scopes - Understand permissions and choose the right preset
  • IP allowlist - Restrict key usage to trusted IP addresses
  • Rotation - Rotate, revoke, and delete keys from the dashboard