Getting started
Authentication
One key, every surface. The same ck_live_… authenticates REST, SDK, CLI, MCP, and Skills.
Where keys come from
Create and revoke keys at Account → Apps & API (visible once your account is enabled for the beta). The full key (ck_live_…) is shown once — copy it right away. If you lose it, revoke it and generate another.
Sending the key
Send the key on every request, either as a Bearer token or in the X-API-Key header — both work:
Authorization: Bearer ck_live_xxxxxxxxxxxxxxxxxxxxxxxx
# ou
X-API-Key: ck_live_xxxxxxxxxxxxxxxxxxxxxxxx
Across the other surfaces
SDK, CLI, MCP, and Skills all read the same key from the CARANGUEJO_API_KEY environment variable (the CLI can also store it via caranguejo auth login):
export CARANGUEJO_API_KEY=ck_live_xxxxxxxxxxxxxxxxxxxxxxxx
Keep your keys safe
- Never expose the key in front-end code or commit it to Git. It acts on behalf of your account and spends your credits.
- Use environment variables / CI secrets, not hard-coded values.
- Suspect a leak? Revoke it at Account → Apps & API and generate a new one.
A missing, invalid, or revoked key returns
401. An account without beta access or an active plan returns 403. See Errors & limits.