Authentication

All API calls require a Bearer token. API keys live in your siati.ai account and never leave Switzerland.

Required header

Authorization: Bearer siati_<32 random characters>

Generating a key

Dashboard → API keys → Create key.

• The key is shown only once at creation time. Copy it into a password manager. We cannot recover it — only the SHA-256 hash is stored.
• You can create multiple keys to separate environments (dev/prod) or services.
• Each key gets a label (e.g. prod-rag-pipeline) to identify it in usage logs.

Rotating a key

Dashboard → API keys → Revoke next to the key to invalidate. Effective immediately: any further call with that key returns 401 invalid_api_key.

Always create the new key before revoking the old one, to avoid downtime.

Operational security

Don't commit keys to your repo

Use environment variables (SIATI_API_KEY), a secret manager (1Password, Bitwarden, Vault), or platform-level injection (Kubernetes Secret, AWS Secrets Manager, etc.).

For CI/CD pipelines

Use dedicated keys, labelled (e.g. github-actions-build), with minimal scope. Rotate at least quarterly.

What we log

For each call we store: timestamp, model, tier, in/out tokens, latency, status code, hash of the API key (never the key in clear). The content of prompts and responses is not stored unless you explicitly enable audit logging on your account (default: off).

See Privacy for details.