Authentication

Two flavours, depending on which API you call:

Developer API — Bearer API key#

Get a key#

Dashboard → API keys → Create new key. Shown once at creation; we store only a hash.

sk-siati-rB3vT2_KdN9...

Use the key#

curl https://api.siati.ai/v1/chat/completions \
  -H "Authorization: Bearer sk-siati-rB3vT2_KdN9..." \
  -H "Content-Type: application/json" \
  -d '{...}'

Per-request tier override#

X-Siati-Tier: ludicrous

Defaults to the key's configured tier; per-request override must be allowed by your plan.

Rotate or revoke#

Dashboard → API keys → trash icon. Keys revoked are immediately rejected (no grace period).

Mobile / app API — JWT#

The mobile app authenticates with email + password to obtain a JWT, then sends it on every request:

# Step 1 — login
curl https://my.siati.ai/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "u@example.com", "password": "..."}'
# → { "token": "eyJhbGciOi...", "expires_at": "..." }

# Step 2 — use the token
curl https://my.siati.ai/api/v1/me/boot \
  -H "Authorization: Bearer eyJhbGciOi..."

JWT TTL is 30 days by default; refresh via POST /auth/refresh.

What if I want both?#

Power users can have both. The API key is the right answer for server-to-server calls; the JWT is for end-user app sessions where login state matters.

Errors#

All errors return the OpenAI-compatible shape:

{
  "error": {
    "message": "invalid api key",
    "type": "invalid_request_error",
    "code": "invalid_api_key"
  }
}