Pomelo

Authentication

Our API uses API keys for authentication. Every request to the API must include your API key, which you can manage from your dashboard. This page explains how to create, use, and manage your API keys securely.

API Key Security

Your API keys carry significant privileges, so be sure to keep them secure! Do not share your API keys in publicly accessible areas such as GitHub, client-side code, or in your frontend application.

Creating API Keys

To create a new API key:

  1. Log in to your account dashboard
  2. Navigate to API Keys in the settings section
  3. Click "Create New API Key"
  4. Enter a descriptive name for your key (e.g., "Production Server", "Development Environment")
  5. Click "Generate Key" to create your new API key

Important: Your API key will only be shown once when it's created. Make sure to copy it and store it securely, as you won't be able to view it again. If you lose your API key, you'll need to generate a new one.

Using API Keys

You should include your API key in the Authorization header of all API requests, using the Bearer authentication scheme:

Authorization: Bearer YOUR_API_KEY

Example in Python

import ai_console

# Initialize with your API key
client = pomeloapi.Client(api_key="YOUR_API_KEY")

# Now you can make authenticated requests
response = client.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": "Hello world"}]
)

Example in JavaScript

import { PomeloAPI } from 'pomeloapi';

// Initialize with your API key
const client = new PomeloAPI({ apiKey: 'YOUR_API_KEY' });

// Make authenticated requests
const response = await client.chat.completions.create({
  model: 'gpt-3.5-turbo',
  messages: [{ role: 'user', content: 'Hello world' }]
});

Direct API Request

curl https://www.pomeloapi.com/v1/tasks \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "model": "gpt-4",
    "messages": [{"role": "user", "content": "Hello world"}]
  }'

Managing API Keys

You can manage your API keys from your account dashboard. From there, you can:

  • Create new API keys
  • View all your active API keys
  • Delete API keys that are no longer needed
  • Monitor API key usage and activity

Key Rotation

For enhanced security, we recommend regularly rotating your API keys. This is especially important for production keys that are used in multiple places. To rotate a key:

  1. Create a new API key
  2. Update your applications to use the new API key
  3. Verify that everything works with the new key
  4. Delete the old API key

Best Practices

  • Never hardcode API keys in your application source code. Use environment variables or a secure secrets manager instead.
  • Don't expose your API key in client-side code (e.g., JavaScript that runs in the browser). Instead, make API calls from your server.
  • Create separate keys for different applications or services to limit the impact of a compromised key.
  • Monitor API key usage regularly to detect unauthorized or unexpected access.
  • Rotate API keys periodically, especially if you suspect they might be compromised.
  • Delete unused API keys to reduce your attack surface.

Next Steps

Now that you understand how to authenticate with our API, you can: