Secure your requests.
Bentoo AI uses Bearer token authentication over HTTPS. One key gives you access to every model in the catalog. Learn how to create, rotate, and protect your API keys.
API keys
Every Bentoo AI account can create multiple API keys. Keys are scoped to your account and carry the same permissions — there is no per-key model restriction. Keys start with btoo_ followed by a random suffix.
Creating a key
Sign in to the Bentoo AI dashboard, navigate to Settings → API Keys, and click Create key. Give it a descriptive name (e.g., "production-webapp") so you can identify it in usage logs later.
Key limits
Each key inherits your account's rate limits and credit balance. You can create up to 50 keys per account on the free tier and unlimited on Pro and Enterprise plans.
Authentication header
Include your key in the Authorization header of every request:
curl https://api.bentoo.ai/v1/chat/completions \ -H "Authorization: Bearer btoo_sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ -H "Content-Type: application/json"
from bentoo import Bentoo client = Bentoo( api_key="btoo_sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" )
import Bentoo from "bentoo"; const client = new Bentoo({ apiKey: "btoo_sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", });
BENTOO_API_KEY in your environment or secret manager (Doppler, 1Password, AWS Secrets Manager) and let the SDK read it automatically. Never hardcode keys in source control.
Key rotation
Rotate keys regularly to limit blast radius if a credential leaks. Bentoo AI supports zero-downtime rotation: create a new key, update your deployments, then revoke the old one.
- Create new key in the dashboard with a new name.
- Update deployments to use the new key. Roll out gradually if you have multiple services.
- Monitor usage on the old key. Wait until its traffic drops to zero.
- Revoke old key in the dashboard. Requests using it will immediately return 401.
Security best practices
Never expose keys client-side
API keys should only live on your servers or in secure cloud functions. If you need to call Bentoo AI from a browser or mobile app, route requests through your own backend proxy.
Use least-privilege environments
Create separate keys for development, staging, and production. If a dev key leaks, your production traffic is unaffected.
IP allowlisting (Enterprise)
Enterprise customers can restrict key usage to specific IP ranges or CIDR blocks. Contact support@bentoo.ai to configure.
Audit logs
Every request is logged with timestamp, key ID (last 4 chars), model, token count, and source IP. View logs in the dashboard or export via the Audit API.
Troubleshooting
Authorization: Bearer btoo_....curl -v -H "Authorization: Bearer $BENTOO_API_KEY" https://api.bentoo.ai/v1/models to verify connectivity. If that works, the issue is in your request body, not auth.