API Authentication

Secure authentication methods for accessing the ARKA AI API.

⚠️ API Access Requirements

API access is available on the Agency plan ($699/month). Contact sales@arka-ai.com to enable API access for your account.

Authentication Overview

ARKA AI uses API keys to authenticate requests. Your API keys carry many privileges, so keep them secure!

  • Authentication is done via the Authorization header
  • All API requests must be made over HTTPS
  • Requests without authentication will return a 401 error
  • Invalid or expired keys will return a 403 error

Getting Your API Key

  1. Log into your ARKA AI dashboard
  2. Go to Settings → API Keys
  3. Click "Create New API Key"
  4. Give your key a descriptive name (e.g., "Production Server")
  5. Copy the key immediately - it won't be shown again
  6. Store the key securely (use environment variables)

Using Your API Key

Authorization Header

Include your API key in the Authorization header as a Bearer token:

Authorization: Bearer arka_sk_1234567890abcdefghijklmnopqrstuv

Example Requests

cURL

curl https://api.arka-ai.com/v1/chat/completions \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [
      {"role": "user", "content": "Hello, world!"}
    ]
  }'

JavaScript / Node.js

const response = await fetch('https://api.arka-ai.com/v1/chat/completions', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    model: 'gpt-4o',
    messages: [
      { role: 'user', content: 'Hello, world!' }
    ]
  })
});

const data = await response.json();
console.log(data);

Python

import requests

response = requests.post(
    'https://api.arka-ai.com/v1/chat/completions',
    headers={
        'Authorization': 'Bearer YOUR_API_KEY',
        'Content-Type': 'application/json'
    },
    json={
        'model': 'gpt-4o',
        'messages': [
            {'role': 'user', 'content': 'Hello, world!'}
        ]
    }
)

data = response.json()
print(data)

API Key Types

🔑 Secret Keys

Prefix: arka_sk_

Full access to your account. Use these for server-side applications only. Never expose in client-side code or public repositories.

  • • Full read/write access
  • • Can create/delete resources
  • • Access billing information
  • • Manage integrations

📖 Publishable Keys

Prefix: arka_pk_

Read-only access. Safe to use in client-side applications. Limited permissions.

  • • Read-only API calls
  • • Cannot modify resources
  • • No billing access
  • • Safe for frontend code

Security Best Practices

✅ Use Environment Variables

Store API keys in environment variables, never hardcode them in your source code.

✅ Rotate Keys Regularly

Create new API keys and delete old ones every 90 days for security.

✅ Use Separate Keys per Environment

Create different API keys for development, staging, and production.

❌ Never Commit Keys to Git

Add .env files to .gitignore. If accidentally committed, rotate immediately.

❌ Don't Use Secret Keys in Frontend

Client-side code exposes keys to users. Use publishable keys or proxy through your backend.

Managing API Keys

Viewing Keys

You can view all your API keys in Settings → API Keys. For security, only the key prefix is shown (e.g., arka_sk_1234...vwxyz).

Revoking Keys

If a key is compromised or no longer needed:

  1. Go to Settings → API Keys
  2. Find the key to revoke
  3. Click "Delete"
  4. Confirm deletion

Deleted keys are immediately invalidated and cannot be recovered.

Key Rotation

To rotate an API key without downtime:

  1. Create a new API key
  2. Update your applications to use the new key
  3. Test that the new key works
  4. Delete the old key

Rate Limiting

API requests are rate limited to prevent abuse:

  • Agency plan: 1,000 requests per minute
  • Custom Enterprise: Higher limits available

Rate Limit Headers

Each API response includes rate limit headers:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200

Handling Rate Limits

If you exceed the rate limit, you'll receive a 429 error:

{
  "error": {
    "message": "Rate limit exceeded. Please retry after 60 seconds.",
    "type": "rate_limit_error",
    "retry_after": 60
  }
}

Implement exponential backoff to handle rate limits gracefully.

Authentication Error Codes

Status CodeError TypeDescription
401UnauthorizedMissing or invalid Authorization header
403ForbiddenAPI key lacks required permissions
429Rate LimitToo many requests, retry after delay
503Service UnavailableTemporary server issue, retry with backoff

Next Steps

API Endpoints →

Explore available API endpoints

Get API Key →

Create your first API key