Authentication
API key format, headers, storage model, and key management limits.
The metered inference endpoints — POST /v1/chat/completions and POST /v1/responses — require an API key. The model endpoints GET /v1/models and GET /v1/models/{model} are public and take no key, so they are convenient for health checks. Create and revoke keys at /dashboard/keys.
Headers
The standard header is Authorization: Bearer:
curl https://www.draftworks.dev/v1/chat/completions \
-H "Authorization: Bearer dw_live_..." \
-H "Content-Type: application/json" \
-d '{ "model": "gpt-5.5", "messages": [{ "role": "user", "content": "ping" }] }'For drop-in compatibility with Azure-style clients, the api-key header is also accepted:
curl https://www.draftworks.dev/v1/chat/completions \
-H "api-key: dw_live_..." \
-H "Content-Type: application/json" \
-d '{ "model": "gpt-5.5", "messages": [{ "role": "user", "content": "ping" }] }'If both headers are present, Authorization wins. Requests to a metered endpoint with a missing, malformed, or revoked key return 401 invalid_api_key — see errors.
Key format
Keys are prefixed dw_live_ followed by a random token:
dw_live_Xk2vR8mQ4tYw7bN3cJ6hL9sD1fG5aZ0eThe prefix makes keys identifiable in secret scanners and log redaction rules. Treat the full string as a secret: server-side environment variables only, never in client-side code or committed files.
Storage: hashed at rest
Draftworks stores only the SHA-256 hash of each key. The plaintext is displayed exactly once, at creation, and cannot be recovered afterward — not by you, not by us. If a key is lost, revoke it and create a new one.
The dashboard shows the first and last few characters of each key so you can tell them apart.
Limits and revocation
| Active keys per account | 20 |
| Revocation | Immediate — in-flight requests complete; the next request fails with 401 |
| Expiry | Keys do not expire; revoke manually |
Scoping advice
Create one key per application and per environment (app-prod, app-staging, ci). This keeps three properties:
- Blast radius. A leaked key is revoked without touching anything else.
- Rotation. Rotate one consumer at a time: create the new key, deploy, revoke the old one.
All keys draw from the same credit balance and share the same rate tier. Usage in /dashboard/usage is reported per account, aggregated across all keys — there is no per-key cost breakdown. If you need cost-per-app attribution, tag or record usage in your own instrumentation.