Authentication
Authenticate Xenodia API calls with long-term API keys and server-side Bearer headers.
Xenodia public API calls use Bearer authentication.
Authorization: Bearer YOUR_LONG_TERM_KEYKeep API keys on the server. Do not expose a long-term key in browser JavaScript, mobile app bundles, public logs, or agent prompts that may be replayed into untrusted tools.
Base URL
https://api.xenodia.xyzMost endpoints in these docs are shown as full URLs for clarity.
Minimal headers
Content-Type: application/json
Authorization: Bearer YOUR_LONG_TERM_KEYMultipart media uploads should use the form boundary generated by your HTTP client rather than manually setting Content-Type.
Error handling
Clients should treat authentication errors as non-retryable until credentials change.
| Status | Meaning |
|---|---|
401 | Missing, malformed, expired, or invalid credentials. |
403 | Credentials are valid but do not allow the requested action, model, group, or billing mode. |
429 | Rate limit or quota boundary reached. Retry only according to response headers or your own backoff policy. |
Production checklist
- Store keys in a secret manager or encrypted environment variable.
- Use separate keys for local development, staging, and production.
- Rotate keys when developers leave or logs may have exposed credentials.
- Do not log raw request headers.
- Do not let agents create new long-term keys without an owner-approved policy.