Authentication

Every request to the Rikaii HTTP API must include your API key so we can identify your workspace and enforce quotas, routing rules, and billing.

Never expose keys in the browser

Never expose your Rikaii API key in client-side code (such as React, Vue, or static sites). Keys in bundles or browser storage can be extracted. Always route requests through your own secure backend (or a trusted serverless function) that holds the secret and calls Rikaii.

Bearer token

Pass the API key in the Authorization header using the Bearer scheme:

Authorization: Bearer <your-api-key>

Example:

POST /v1/chat/completions HTTP/1.1
Host: api.rikaii.com
Authorization: Bearer sk_rikaii_xxxxxxxxxxxxxxxxxxxx
Content-Type: application/json

Do not send the key in query parameters or log it in client-visible errors.

Key scope

API keys are tied to your Rikaii account. Create and rotate keys under API keys in the Dashboard; changes apply to new requests immediately (subject to caching at the edge).

Metered usage

When traffic is routed using Rikaii-managed keys, usage is metered to your Rikaii account according to your plan. Review usage and payment methods under Billing.

BYOK

If you configure bring-your-own-key (BYOK) and the request is satisfied entirely with your provider credentials, upstream charges apply under your agreement with that provider; Rikaii may still record metadata for routing and observability. Configure BYOK under Settings (Pro required). See BYOK integration.

Errors

See Errors for HTTP status codes and JSON error shape.

Always inspect the JSON error payload when present.