API Core

Authentication and API Keys

Dual auth model (API keys + session tokens), key format, lifecycle, and secure handling.

7 minUpdated 2026-02-15
Summary

Dual auth model (API keys + session tokens), key format, lifecycle, and secure handling.

5 deep-dive sections1 code samples
Quick Start
  1. Copy the request sample from this page.
  2. Run it in API Explorer with your key.
  3. Confirm stream done payload (finish_reason + charged credits).
  4. Move the same payload into your backend code.

Authentication model

LLMWise supports two authentication methods:

MethodHeader formatUse case
API keyBearer mm_sk_...Server-side integrations, scripts, CI/CD
Session tokenBearer eyJ... (JWT)Browser dashboard, frontend apps via Clerk

Both methods use the same Authorization: Bearer <token> header. The backend detects which method you are using by the token prefix.

API key details

  • Prefix: mm_sk_ followed by 64 hex characters
  • Storage: Keys are SHA-256 hashed before storage — the raw key is only shown once at generation time
  • One key per account at a time. Generating a new key invalidates the previous one

Key lifecycle

Generate -> Store -> Use -> Rotate
1
Generate
POST /api/v1/keys/generate
2
Store
Save in backend secret manager
3
Use
Attach Bearer key in every request
4
Rotate
DELETE /api/v1/keys/revoke + regenerate

Key endpoints

  • Generate: POST /api/v1/keys/generate
  • Status: GET /api/v1/keys/info
  • Revoke: DELETE /api/v1/keys/revoke

Session token auth

When using the LLMWise dashboard, authentication is handled automatically via Clerk session tokens (RS256 JWTs). On first authenticated API call, a user account is auto-created with 40 free credits. No separate registration step is needed.

Secure usage baseline

LLMWISE_BASE_URL=https://llmwise.ai/api/v1
LLMWISE_API_KEY=mm_sk_xxx
REQUEST_TIMEOUT_MS=60000

Recommended key policy

  1. One key per app/service.
  2. Rotate keys periodically.
  3. Revoke on any leak signal.
  4. Never place keys in browser bundle or client-side code.
Frontend safety

If a key appears in client-side JavaScript, assume it is compromised. Keep keys only on server-side controlled infrastructure.

Chat API referencePrivacy and data controlsBilling and credits
Docs Assistant

ChatKit-style guided help

Product-scoped assistant for LLMWise docs and API usage. It does not answer unrelated topics.

Sign in to ask implementation questions and get runnable snippets.

Sign in to use assistant
Previous
Dashboard User Guide
Next
Chat API Reference