Token360

Authentication

All Token360 API requests require authentication using an API key.

API Key Format

Token360 API keys follow the format:

sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys start with sk- followed by a unique alphanumeric string.

Using Your API Key

Include the API key in the Authorization header of every request:

1curl https://api.token360.ai/v1/chat/completions \
2  -H "Authorization: Bearer sk-your-api-key" \
3  -H "Content-Type: application/json" \
4  -d '{"model": "glm-5.1", "messages": [{"role": "user", "content": "Hello"}]}'

Managing API Keys

Creating a Key

  1. Log in to the Token360 Console.
  2. Go to API Keys in the sidebar.
  3. Enter a descriptive name (e.g., "production", "development") and select a workspace.
  4. Click Create and copy the key immediately — it will only be shown once.

Key Security Best Practices

  • Never expose keys in client-side code (browser JavaScript, mobile apps). Always call the API from your backend.
  • Use environment variables to store keys. Never hardcode them in source code.
  • Rotate keys regularly. Create a new key, update your application, then delete the old one.
  • Use separate keys for development and production environments.
  • Monitor usage in the console to detect unauthorized usage.

Disabling or Deleting a Key

If a key is compromised:

  1. Go to API Keys in the console.
  2. Find the key and use the toggle to Disable it (temporary) or click Delete (permanent).
  3. Create a new key and update your application.

Authentication Errors

If authentication fails, you'll receive a 401 error:

JSON
1{
2  "error": {
3    "message": "Invalid API key or token provided",
4    "type": "invalid_api_key",
5    "code": "401"
6  }
7}

Common causes:

  • Missing Authorization header
  • Incorrect key format (must include Bearer prefix)
  • Expired or deleted key
  • Key lacks permission for the requested resource
Was this page helpful?