Authentication

API key format, header options, scopes, and security practices for the Qamera AI API.

Every request to the Qamera AI API must include a valid API key. Unauthenticated requests receive a 401 Unauthorized response.

API Key Format

Keys follow the format:

mk_live_<keyId>.<secret>

Part	Description
`mk_live_`	Fixed prefix indicating a live production key.
`<keyId>`	A unique identifier for the key, used for lookups and audit trails.
`<secret>`	The secret portion, shown only once at creation time.

Example:

mk_live_7f3a2b1c.kP9xmWqLzR4tNvYs

Passing the Key

You can authenticate using either of two headers:

X-Api-Key Header (Recommended)

curl -X GET https://app.qamera.ai/api/external/products \
  -H "X-Api-Key: mk_live_7f3a2b1c.kP9xmWqLzR4tNvYs"

Authorization Bearer Header

curl -X GET https://app.qamera.ai/api/external/products \
  -H "Authorization: Bearer mk_live_7f3a2b1c.kP9xmWqLzR4tNvYs"

Both methods are equivalent. If both headers are present, X-Api-Key takes precedence.

Obtaining an API Key

Log in to Qamera AI and open your team workspace.
Navigate to Settings → API Keys.
Click Generate New Key.
Copy the full key value immediately. The secret portion is not stored in plaintext and cannot be retrieved later.

Each team account can have multiple active keys. Keys are scoped to the account that created them and inherit that account's credit balance.

Scopes

API keys are assigned scopes that control which operations they can perform.

Scope	Permissions
`content.register`	Create orders, trigger content generation (POST endpoints).
`content.read`	Read products, orders, jobs, and results (GET endpoints). Planned.
`queue.nudge`	Reprioritize queued jobs. Planned.

Currently, all keys are issued with the content.register scope. Requests to an endpoint that requires a scope your key does not have will receive a 403 Forbidden response.

Security

Hashed storage — Key secrets are hashed with bcrypt before storage. Qamera AI cannot recover a lost secret.
Per-account isolation — Keys belong to a specific team account. They cannot access data from other accounts.
Expiration — Keys can be configured with an expiration date. Expired keys return 401 Unauthorized.
Revocation — You can revoke a key at any time from Settings → API Keys. Revocation takes effect immediately.
Usage tracking — Each key records a last_used_at timestamp. All content generation triggered by a key is tracked via cg_orders and cg_jobs for audit purposes.

Best Practices

Store keys in environment variables or a secrets manager. Never commit them to version control.
Use separate keys for different environments (development, staging, production).
Rotate keys periodically and revoke any that are no longer needed.
Monitor last_used_at to detect unused or potentially compromised keys.