Authorization header.
The header
- Format:
Bearer <token>. The space betweenBearerand the token is required. - Send the full token, including the
kbai_pk_prefix. - HTTPS is required. Plain HTTP requests are rejected in production.
Examples
Authentication errors
All auth errors return the same generic status and message — we don’t tell you whether a token is “missing” vs “revoked” to avoid handing enumeration hints to attackers.| Cause | Fix |
|---|---|
Authorization header missing. | Add it. |
Header set but no Bearer prefix. | Include Bearer with a space. |
| Token mis-copied (truncated, extra whitespace, different charset). | Copy from your secret manager again. |
| Token revoked. | Check API Keys. If status is Revoked, mint a new one. |
| Token expired. | Same place — check the Status column. |
| Token owner deactivated. | Ask your tenant admin to reactivate the account. |
Where to store your token
Secret managers
AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, 1Password, Doppler. The right answer for production.
GitHub Actions
Repository Settings → Secrets → Actions → New secret. Reference as
${{ secrets.KEEBAI_API_TOKEN }}.Local .env
Personal dev only. Make sure
.env is in .gitignore.Server env vars
On servers:
export KEEBAI_API_TOKEN=.... Never in source code.Automatic leak detection
Thekbai_pk_ prefix is registered with GitHub’s secret scanning. If a token ends up in a public GitHub repo, you’ll get an alert and we’ll auto-revoke it.
To enable secret scanning on your private org repos: GitHub → Settings → Code security → Secret scanning.