Authentication
API keys, rate limits, and security.
Authentication
All API requests require an API key in the Authorization header.
Using Your API Key
curl 'https://api.smavatar.com/api/v1/...' \
-H 'Authorization: Bearer sma_your_api_key'
API keys start with sma_ followed by 32 random characters.
Keys are hashed before storage. We never store your full key in plain text.
Projects and Keys
Organization (your account)
└── Project
└── API Keys (multiple per project)
└── Jobs
Create multiple projects to separate applications. Create multiple keys per project for different environments (dev, staging, production).
Create an API Key
- Open your project in the dashboard
- Go to API Keys tab
- Click Create API Key
- Copy the key immediately—you won't see it again
Rate Limits
| Endpoint | Limit |
|---|---|
| Job creation | 60 per hour |
| Job status | 300 per hour |
| MCP tools | 600 per hour |
Exceeding limits returns 429 Too Many Requests with a Retry-After header.
Security Best Practices
Do:
- Store keys in environment variables
- Use different keys for dev/staging/production
- Rotate keys periodically
- Revoke compromised keys immediately
Don't:
- Commit keys to version control
- Expose keys in client-side code
- Share keys in chat or email
Environment Variables
# .env (never commit)
SMAVATAR_API_KEY=sma_your_key_here
SMAVATAR_PROJECT_ID=your-project-uuid
// Node.js
const apiKey = process.env.SMAVATAR_API_KEY
# Python
import os
api_key = os.environ.get('SMAVATAR_API_KEY')
Revoking Keys
If a key is compromised:
- Go to your project → API Keys
- Click Revoke on the compromised key
- Create a new key
- Update your applications
Revoked keys stop working immediately.
Error Responses
Invalid API Key (401)
{
"statusCode": 401,
"message": "Invalid API key"
}
Wrong Project (403)
{
"statusCode": 403,
"message": "API key does not have access to this project"
}