Skip to main content

Authentication

All Assisters API requests require authentication using an API key. This guide covers how to create, use, and manage your API keys securely.

API Keys

API keys are the primary method for authenticating with Assisters API. Each key:
  • Starts with the prefix ask_
  • Is tied to your account for billing
  • Can be restricted to specific domains (optional)
  • Can be revoked at any time

Creating an API Key

1

Open the Dashboard

Navigate to assisters.dev/dashboard/api-keys
2

Click Create New Key

Click the Create New Key button in the top right
3

Name Your Key

Give your key a descriptive name (e.g., “Production Server”, “Development”)
4

Set Domain Restrictions (Optional)

Add allowed domains if you want to restrict where the key can be used
5

Copy Your Key

Copy the full API key immediately - it won’t be shown again!
Your API key is only displayed once when created. Store it securely - you cannot retrieve it later.

Using Your API Key

Include your API key in the Authorization header with the Bearer prefix: 
from openai import OpenAI

client = OpenAI(
    api_key="ask_your_api_key_here",
    base_url="https://api.assisters.dev/v1"
)

API Key Limits

Each account can have up to 10 active API keys. The first key created is automatically marked as the primary key.
FeatureLimit
Keys per account10
Key prefixask_
Domain restrictionsUnlimited
RevocationInstant

Domain Restrictions

You can restrict API keys to specific domains for additional security. This is useful for client-side applications where the key might be exposed. 
{
  "allowed_domains": [
    "example.com",
    "app.example.com",
    "*.example.com"
  ]
}
Domain restrictions are optional. If no domains are specified, the key works from any origin.

Security Best Practices

Use Environment Variables

Never hardcode API keys in your source code. Use environment variables instead.

Rotate Keys Regularly

Create new keys and revoke old ones periodically to limit exposure.

Use Separate Keys

Use different keys for development, staging, and production environments.

Monitor Usage

Check your dashboard regularly for unexpected usage patterns.

Environment Variables

Store your API key in environment variables: 
export ASSISTERS_API_KEY="ask_your_api_key_here"
Then access it in your code: 
import os
from openai import OpenAI

client = OpenAI(
    api_key=os.environ["ASSISTERS_API_KEY"],
    base_url="https://api.assisters.dev/v1"
)

Git Ignore

Always add your .env file to .gitignore: 
# .gitignore
.env
.env.local
.env.*.local

Managing API Keys

View All Keys

In your dashboard, you can see all your API keys with:
  • Name and creation date
  • Key prefix (first 12 characters)
  • Primary key status
  • Domain restrictions
  • Last used timestamp

Revoke a Key

To revoke a key:
  1. Go to your API Keys dashboard
  2. Find the key you want to revoke
  3. Click the Revoke button
  4. Confirm the revocation
Revoking a key is immediate and permanent. Any applications using that key will stop working instantly.

Set Primary Key

The primary key is used for embed widgets. To change your primary key:
  1. Go to your API Keys dashboard
  2. Find the key you want to make primary
  3. Click Set as Primary

Rate Limits by Tier

Your API key inherits rate limits from your subscription tier:
TierRequests/MinuteTokens/Minute
Free10 RPM100K TPM
Developer100 RPM1M TPM
Startup500 RPM5M TPM
EnterpriseCustomCustom
Rate limit information is included in response headers: 
X-RateLimit-Limit-RPM: 100
X-RateLimit-Remaining-RPM: 95
X-RateLimit-Limit-TPM: 1000000
X-RateLimit-Remaining-TPM: 995000

Error Responses

401 Unauthorized

{
  "error": {
    "message": "Invalid API key provided",
    "type": "invalid_request_error",
    "code": "invalid_api_key"
  }
}
Causes:
  • API key is missing or malformed
  • API key has been revoked
  • API key doesn’t start with ask_

403 Forbidden

{
  "error": {
    "message": "Request origin not allowed for this API key",
    "type": "invalid_request_error",
    "code": "origin_not_allowed"
  }
}
Causes:
  • Request came from a domain not in the allowed list
  • Domain restrictions are blocking the request

Next Steps

Rate Limits

Learn how to handle rate limiting gracefully

API Reference

Explore all available API endpoints