Authentication
QuillAI uses static Bearer tokens — create and rotate them from the Developers dashboard.
Create a key
Open Developers, click Create key, give it a label, and copy the plaintext value — we only show it once. Drop it into an environment variable (for example QAI_KEY) on the machine that will make requests. If you lose the key you can't recover it; revoke it and mint a new one.
Key format
Keys are ~40 characters: a fixed prefix plus a base62 body. Only the SHA-256 hash is stored server-side, so the plaintext is visible exactly once at creation.
| Prefix | Environment | Description |
|---|---|---|
qai_test_ | Sandbox | Not billed. Returns mock output — safe for CI and local dev. |
qai_live_ | Production | Billed per point against your balance. Use only on trusted servers. |
Make an authenticated request
Send the key in the Authorization header on every request. Start with GET /v1/me to confirm the key works and check your remaining balance.
curl https://api.quillhub.ai/v1/me \
-H "Authorization: Bearer $QAI_KEY"A valid key returns 200 with your account id, current point balance, and active subscription (or null if you're on pay-as-you-go).
{
"id": "usr_3f9a2c1e8b",
"available_points": 12400,
"subscription": null
}Storing keys safely
- Load keys from environment variables or a secret manager (Vault, AWS Secrets Manager, Doppler) — never from a config file checked into git.
- Keep live keys off developer laptops. Use qai_test_ locally and qai_live_ only in your deployed environments.
- Never commit keys, paste them into issues, or log them. Scrub them from error reporters.
- Rotate keys on a schedule and whenever someone with access leaves the team.
Errors
A missing or malformed token returns 401 with type authentication_error. A revoked or out-of-scope key returns 403 with type permission_error. Both responses share the shape below.
{
"error": {
"type": "authentication_error",
"message": "Invalid API key provided."
}
}