Authentication

All API requests (except health checks and Stripe webhooks) require a Bearer token in the Authorization header.

API Keys

API keys have the format:

pj_live_<8-char-prefix><64-char-hex>

Total length: 72 characters. The prefix allows quick identification in logs and databases.

Key Security

Keys are never stored in plaintext. PromptJang stores SHA256(key + pepper) where the pepper is a server-side secret (AUTH_PEPPER).
Key comparison uses constant-time equality to prevent timing attacks.
The full key is returned only once — when you create it. Store it securely.

Managing Keys

Create a Key

bash

curl -X POST https://api.promptjang.net/api/v1/keys \
  -H "Authorization: Bearer pj_live_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production key"}'

Response includes the full key (shown only once):

json

{
  "id": "key_abc123...",
  "name": "Production key",
  "key": "pj_live_451560fa...",
  "prefix": "pj_live_451560fa",
  "created_at": "2026-05-26T12:00:00Z"
}

List Keys

bash

curl https://api.promptjang.net/api/v1/keys \
  -H "Authorization: Bearer pj_live_YOUR_API_KEY"

Only the prefix is returned (not the full key).

Delete a Key

bash

curl -X DELETE https://api.promptjang.net/api/v1/keys/key_abc123... \
  -H "Authorization: Bearer pj_live_YOUR_API_KEY"

Authorization Header

Authorization: Bearer pj_live_451560faf7e81b894ff13cdefd27fb0f1017ffbb9721fea67b133c8360360623

Missing or invalid keys return 401 Unauthorized:

json

{
  "detail": "Unauthorized"
}

Authentication ​

API Keys ​

Key Security ​

Managing Keys ​

Create a Key ​

List Keys ​

Delete a Key ​

Authorization Header ​

Authentication

API Keys

Key Security

Managing Keys

Create a Key

List Keys

Delete a Key

Authorization Header