Authentication
Authentication is optional. Unauthenticated requests run on the anonymous tier with conservative limits. Requests with a valid API key run on the tier assigned to that key.
Three ways to send a key
- Header:
x-api-key: alloy_… - Bearer:
Authorization: Bearer alloy_… - Query string:
?api_key=alloy_…(discouraged, leaks in logs)
Tiers
| Tier | Requests / hour | Burst / minute |
|---|---|---|
| anonymous | 600 | 30 |
| standard | 5,000 | 120 |
| trusted | 50,000 | 600 |
| internal | unlimited | unlimited |
Requesting a key
Submit a request describing your project. Approved requests receive a key once — store it securely; we hash it server-side and cannot show it again.
Rotating a key
Contact admin or use the dashboard to rotate. Rotation returns a fresh secret and invalidates the old one immediately.