API Keys

API keys are used to authenticate external applications and scripts that make requests to the OptimaGPT API. They are managed from the Configuration page.

How API key gating works

By default — when no API keys have been created — the OptimaGPT API accepts any request without authentication. This may be acceptable on a private network, but for any installation accessible from outside a trusted network, you should create at least one API key.

Once one or more keys exist, every API request must include a valid key. Requests without a key, or with an invalid key, will be rejected.

Viewing API keys

Open the Configuration page from the sidebar. The API Keys panel lists all configured keys, showing each key's name and owner.

Configuration page showing the API Keys panel with a list of keys, each showing name and owner, and copy/delete icons

Creating an API key

Click New API key. You will be prompted to enter:

Name — A label for this key (for example, the application or service that will use it)
Owner — The name of the person or team responsible for this key

Click Create. The key is generated and added to the list.

Copy the key value immediately after creation if you need to share it — the full key value can be retrieved later using the copy button.

Using an API key

Include the key in your requests using either of the following HTTP headers:

X-API-Key: your-key-here

Authorization: ApiKey your-key-here

Both formats are accepted on all API endpoints.

Deleting an API key

Click the delete icon on the key you want to remove. The key is revoked immediately — any application using it will start receiving authentication errors until it is updated with a valid key.