Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.eggapi.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

EggAPI has two authentication modes in the product:
  • Public server-to-server API calls use API keys.
  • The website dashboard and admin tools use Better Auth session cookies.
This documentation covers the public API key flow.

API Key Header

Send your key as a Bearer token on every public API request: 
Authorization: Bearer YOUR_API_KEY
Example: 
curl https://api.eggapi.ai/v1/usage/summary \
  -H "Authorization: Bearer YOUR_API_KEY"
The backend rejects requests when the header is missing, the format is not Bearer <token>, the key is inactive or expired, or the owning user is not active.

Creating Keys

Create and manage API keys from the EggAPI dashboard. API key creation is a dashboard session action; do not call it from backend jobs or customer-facing clients. When a key is created, store it immediately. Treat it like a password and only use it from server-side code.

Which Endpoints Accept API Keys

Generation

POST /v1/generate accepts API keys and also supports session auth for dashboard playground use.

Tasks

GET /v1/tasks/{id} and GET /v1/tasks accept API keys and session auth.

Usage

GET /v1/usage and GET /v1/usage/summary require API key authentication.

Dashboard

API key management, account balance, and webhook secret management use browser sessions.

Security Practices

  • Keep API keys on your server. Do not expose them in frontend JavaScript, mobile apps, public repositories, or logs.
  • Use separate keys for production, staging, and local development.
  • Rotate a key if it may have been exposed.
  • Prefer a backend endpoint you control when browser users need to trigger EggAPI generation.

Common Authentication Errors

{
  "data": null,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing Authorization header"
  }
}

{
  "data": null,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid Authorization format, expected 'Bearer <token>'"
  }
}

{
  "data": null,
  "error": {
    "code": "FORBIDDEN",
    "message": "User account is suspended"
  }
}