Start
Authentication
Authenticate requests with API keys, follow security practices, and handle auth errors.
All requests to Felo API Platform APIs require authentication using an API Key. This guide explains how to authenticate your requests and handle common authentication issues.
API Key Authentication
Felo uses API Key authentication for all v2 endpoints. Your API Key identifies your application and provides access to the platform's capabilities.
How It Works
- You obtain an API Key from the Felo API Platform API Keys page
- You include the API Key in the
Authorizationheader of every API request - The platform validates your API Key and processes your request
Header Format
Include your API Key in the Authorization header using the Bearer authentication scheme:
Authorization: Bearer YOUR_API_KEYExample Request
curl -X POST https://openapi.felo.ai/v2/chat \
-H "Authorization: Bearer sk_live_abc123xyz789" \
-H "Content-Type: application/json" \
-d '{"query": "What is machine learning?"}'Obtaining Your API Key
To get your API Key:
- Open the Felo API Platform API Keys page
- Sign in with your Felo account if prompted
- Enter a key name and click Create Key
- Copy the full key when it appears. It is only shown once
- Store the key securely and use it as
FELO_API_KEY
Security Best Practices
1. Store API Keys Securely
Don't hardcode API Keys in your source code:
# ❌ Bad - API Key exposed in code
api_key = "sk_live_abc123xyz789"Do use environment variables or secure configuration:
# ✅ Good - API Key from environment
import os
api_key = os.environ.get('FELO_API_KEY')2. Use Environment Variables
Store your API Key in environment variables:
Linux/macOS:
export FELO_API_KEY="sk_live_abc123xyz789"Windows (Command Prompt):
set FELO_API_KEY=sk_live_abc123xyz789Windows (PowerShell):
$env:FELO_API_KEY="sk_live_abc123xyz789"3. Rotate Keys Regularly
Periodically generate new API Keys and revoke old ones to minimize security risks.
4. Use Different Keys for Different Environments
Create separate API Keys for development, staging, and production environments.
5. Never Expose Keys in Client-Side Code
API Keys should only be used in server-side code. Never include them in:
- Frontend JavaScript code
- Mobile app source code
- Public repositories
- Client-side configuration files
Authentication Errors
Common Error Codes
| Error Code | Description | Solution |
|---|---|---|
INVALID_API_KEY | The API Key is invalid, malformed, or has been revoked | Verify your API Key is correct and hasn't been revoked |
MISSING_AUTHORIZATION | The Authorization header is missing | Include the Authorization header in your request |
MALFORMED_AUTHORIZATION | The Authorization header format is incorrect | Use the format: Authorization: Bearer YOUR_API_KEY |
EXPIRED_API_KEY | The API Key has expired | Generate a new API Key from the API Keys page |
RATE_LIMITED | Too many requests in a short time | Slow down your request rate or contact support for higher limits |
Error Response Format
When authentication fails, you'll receive an error response:
{
"status": "error",
"code": "INVALID_API_KEY",
"message": "The provided API Key is invalid or has been revoked",
"request_id": "req_abc123"
}Troubleshooting
Issue: "INVALID_API_KEY" Error
Possible causes:
- The API Key is incorrect or has typos
- The API Key has been revoked
- You're using a test key in production (or vice versa)
Solutions:
- Double-check your API Key for typos
- Verify the key has not been revoked on the API Keys page
- Ensure you're using the correct key for your environment
- Generate a new API Key if needed
Issue: "MISSING_AUTHORIZATION" Error
Possible causes:
- The Authorization header is not included in the request
- The header name is misspelled
Solutions:
- Ensure you're including the Authorization header
- Check the header name is exactly
Authorization(case-sensitive) - Verify your HTTP client is sending the header correctly
Issue: "MALFORMED_AUTHORIZATION" Error
Possible causes:
- The Authorization header format is incorrect
- Missing "Bearer" prefix
- Extra spaces or characters
Solutions:
- Use the exact format:
Authorization: Bearer YOUR_API_KEY - Ensure there's exactly one space after "Bearer"
- Don't include quotes around the API Key
Example: Debugging Authentication
import requests
url = "https://openapi.felo.ai/v2/chat"
api_key = "YOUR_API_KEY"
# Correct format
headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json"
}
response = requests.post(url, headers=headers, json={"query": "test"})
if response.status_code == 401:
error = response.json()
print(f"Authentication failed: {error['code']}")
print(f"Message: {error['message']}")
print(f"Request ID: {error['request_id']}")
else:
print("Authentication successful!")Rate Limiting
Rate limits are enforced per endpoint, not globally per API Key. See each endpoint's documentation for whether limits apply.
Currently rate-limited:
- `/v2/chat` - limited on per-API-Key, per-user (minute window) and per-user (hourly window) dimensions. Exact numeric thresholds are read from response headers (see below) so they can be tuned without doc updates.
Other /v2/** endpoints currently have no enforced rate limits.
When a limit is exceeded, the API returns 429 Too Many Requests with X-RateLimit-* headers and Retry-After. Always read effective limits from the response headers, not from this document.
Need Help?
If you're experiencing authentication issues:
- Review this guide carefully
- Check the Getting Started guide
- Verify your API Key on the API Keys page
- Contact support at [email protected] with your request ID
Next Steps
- Getting Started Guide - Learn how to make your first API call
- Chat API Reference - Explore the Chat API documentation