OpenToken Docs

Authentication

Create an API key and authenticate requests with a Bearer token.

OpenToken authenticates every request with an API key. Keys are scoped to a workspace, prefixed with sk-optk-, and sent as a Bearer token on the Authorization header.

Create an API key

Open the console

Sign in to the console and select the workspace you want the key to belong to. Each key is tied to a single workspace and bills against that workspace's credit ledger.

Generate the key

Create a new key in the workspace's API keys section. The full secret is shown only once at creation time. Copy it immediately and store it in a secret manager — it cannot be retrieved again later.

Store it as an environment variable

Keep the key out of source control. Export it where your application runs.

export OPENTOKEN_API_KEY="sk-optk-..."

Authenticate a request

Send the key in the Authorization header as Bearer $OPENTOKEN_API_KEY. All /v1 endpoints require it.

curl https://api.opentoken.kr/v1/chat/completions \
  -H "Authorization: Bearer $OPENTOKEN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "google/gemini-3-flash",
    "messages": [{"role": "user", "content": "Hello"}]
  }'
from openai import OpenAI
import os

client = OpenAI(
    base_url="https://api.opentoken.kr/v1",
    api_key=os.environ["OPENTOKEN_API_KEY"],
)

resp = client.chat.completions.create(
    model="google/gemini-3-flash",
    messages=[{"role": "user", "content": "Hello"}],
)
print(resp.choices[0].message.content)
import OpenAI from "openai";

const client = new OpenAI({
  baseURL: "https://api.opentoken.kr/v1",
  apiKey: process.env.OPENTOKEN_API_KEY,
});

const resp = await client.chat.completions.create({
  model: "google/gemini-3-flash",
  messages: [{ role: "user", content: "Hello" }],
});
console.log(resp.choices[0].message.content);

Keep keys server-side

API keys grant full access to a workspace and its credits. Never embed a key in browser code, mobile apps, or any client you ship to users. Call OpenToken from your own backend and keep the key on the server.

If a key is exposed, revoke it in the console and generate a replacement. Revoked keys stop working immediately.

Failed authentication

A missing, malformed, expired, or revoked key returns 401 with the OpenAI-compatible error envelope. The type is always authentication_error; the code is one of missing_auth (no or malformed Bearer header), invalid_key (unknown or revoked key), or expired_key (key past its expiry).

{
  "error": {
    "message": "invalid api key",
    "type": "authentication_error",
    "code": "invalid_key"
  }
}

Next steps

Authentication reference

Header format and the full set of auth error codes.

Rate and spend limits

Per-key limits, quota errors, and how billing debits work.

Streaming

Stream chat completions over Server-Sent Events and read deltas as they arrive.

Reasoning

Control model thinking with the reasoning field and the reasoning_effort alias.

On this page

Create an API keyOpen the consoleGenerate the keyStore it as an environment variableAuthenticate a requestKeep keys server-sideFailed authenticationNext steps