Draftworks

Authentication

API key format, headers, storage model, and key management limits.

The metered inference endpoints — POST /v1/chat/completions and POST /v1/responses — require an API key. The model endpoints GET /v1/models and GET /v1/models/{model} are public and take no key, so they are convenient for health checks. Create and revoke keys at /dashboard/keys.

Headers

The standard header is Authorization: Bearer:

Terminal
curl https://www.draftworks.dev/v1/chat/completions \
  -H "Authorization: Bearer dw_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "model": "gpt-5.5", "messages": [{ "role": "user", "content": "ping" }] }'

For drop-in compatibility with Azure-style clients, the api-key header is also accepted:

Terminal
curl https://www.draftworks.dev/v1/chat/completions \
  -H "api-key: dw_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "model": "gpt-5.5", "messages": [{ "role": "user", "content": "ping" }] }'

If both headers are present, Authorization wins. Requests to a metered endpoint with a missing, malformed, or revoked key return 401 invalid_api_key — see errors.

Key format

Keys are prefixed dw_live_ followed by a random token:

dw_live_Xk2vR8mQ4tYw7bN3cJ6hL9sD1fG5aZ0e

The prefix makes keys identifiable in secret scanners and log redaction rules. Treat the full string as a secret: server-side environment variables only, never in client-side code or committed files.

Storage: hashed at rest

Draftworks stores only the SHA-256 hash of each key. The plaintext is displayed exactly once, at creation, and cannot be recovered afterward — not by you, not by us. If a key is lost, revoke it and create a new one.

The dashboard shows the first and last few characters of each key so you can tell them apart.

Limits and revocation

Active keys per account20
RevocationImmediate — in-flight requests complete; the next request fails with 401
ExpiryKeys do not expire; revoke manually

Scoping advice

Create one key per application and per environment (app-prod, app-staging, ci). This keeps three properties:

  • Blast radius. A leaked key is revoked without touching anything else.
  • Rotation. Rotate one consumer at a time: create the new key, deploy, revoke the old one.

All keys draw from the same credit balance and share the same rate tier. Usage in /dashboard/usage is reported per account, aggregated across all keys — there is no per-key cost breakdown. If you need cost-per-app attribution, tag or record usage in your own instrumentation.

On this page