Authentication
Learn how to authenticate with the 0ct API
Authentication
Section titled “Authentication”0ct uses API keys to authenticate requests. This guide covers how to create, manage, and use API keys for accessing the 0ct API.
Creating an API Key
Section titled “Creating an API Key”- Log in to your 0ct dashboard
- Navigate to Settings → API Keys
- Click Generate New Key
- Give your key a descriptive name (e.g., “Production Server” or “CI/CD Pipeline”)
- Copy the key immediately—it won’t be shown again!
Using Your API Key
Section titled “Using Your API Key”SDK Authentication
Section titled “SDK Authentication”The recommended way to authenticate is using the 0ct SDK:
import Oct from '0ct';
const client = new Oct({ apiKey: process.env.OCT_API_KEY});Direct API Authentication
Section titled “Direct API Authentication”For direct HTTP requests, include your API key in the Authorization header:
curl https://0ct.com/api/promptly/tasks \ -H "Authorization: Bearer your-api-key-here"Environment Variables
Section titled “Environment Variables”We strongly recommend storing your API key in environment variables rather than hardcoding:
# .env fileOCT_API_KEY=sk_live_xxxxxxxxxxxxx// Your codeconst client = new Oct({ apiKey: process.env.OCT_API_KEY});API Key Scopes
Section titled “API Key Scopes”API keys in 0ct are scoped to your organization. A single key provides access to all resources within that organization:
- Tasks (create, read, update, delete, run)
- Sources (create, read, update, delete)
- Skills (create, read, update, delete)
- Destinations (create, read, update, delete)
- Runs (read)
- Usage statistics (read)
Security Best Practices
Section titled “Security Best Practices”✅ Store API keys in environment variables
✅ Use different keys for development and production
✅ Rotate keys periodically
✅ Revoke unused keys immediately
✅ Use secrets managers in production (AWS Secrets Manager, HashiCorp Vault, etc.)
❌ Commit API keys to version control
❌ Share keys between team members (each person should have their own)
❌ Include keys in client-side code
❌ Log API keys in application logs
❌ Send keys over unencrypted channels
Key Rotation
Section titled “Key Rotation”To rotate an API key:
- Generate a new key in Settings → API Keys
- Update your application to use the new key
- Verify the new key works in production
- Revoke the old key
Rate Limits
Section titled “Rate Limits”API requests are rate-limited to ensure fair usage:
| Plan | Requests per minute |
|---|---|
| Free | 60 |
| Pro | 300 |
| Enterprise | Custom |
Rate limit headers are included in every response:
X-RateLimit-Limit: 300X-RateLimit-Remaining: 299X-RateLimit-Reset: 1706745600Error Handling
Section titled “Error Handling”Authentication errors return a 401 Unauthorized response:
{ "error": { "code": "unauthorized", "message": "Invalid or missing API key" }}Common causes:
- Missing
Authorizationheader - Invalid API key format
- Revoked or expired key
- Key from a different organization
SDK Error Handling
Section titled “SDK Error Handling”The SDK throws typed errors for authentication issues:
import Oct, { AuthenticationError } from '0ct';
const client = new Oct({ apiKey: process.env.OCT_API_KEY});
try { const tasks = await client.promptly.tasks.list();} catch (error) { if (error instanceof AuthenticationError) { console.error('Invalid API key'); // Handle authentication error } throw error;}Next Steps
Section titled “Next Steps”With authentication set up, you’re ready to: