Authentication
A single Kindo API key authenticates /v1/chat/completions,
/v1/responses, and /v1/messages. There are no per-protocol
credentials.
Get your API key
- Sign in to the Kindo Terminal.
- Open Settings (gear icon) > API.
- Copy your API key.
If you do not see the API tab, ask your organization admin to enable Personal API Key Access for at least one user group you belong to. Self-managed deployments expose the same key in the same place; only the base URL differs.
Send the key
Both header forms work on all three APIs:
| Header | Example | Notes |
|---|---|---|
Authorization: Bearer | Authorization: Bearer YOUR_API_KEY | Preferred for raw HTTP clients and for the OpenAI SDKs (OPENAI_API_KEY populates this). |
x-api-key | x-api-key: YOUR_API_KEY | Preferred for Anthropic SDKs and Claude Code (ANTHROPIC_API_KEY populates this). |
Pick whichever is idiomatic for the client you’re using — both authenticate the same way and resolve to the same caller identity.
Precedence
If both headers are present on a single request, Authorization: Bearer
takes precedence. If the Authorization header is present but
malformed (for example, an empty token, or a non-Bearer scheme like
Basic), the request is rejected outright instead of falling back to
x-api-key.
Key format
Kindo API keys are opaque strings. Treat them as secrets:
- Store them in your secret manager (1Password, Doppler, AWS Secrets Manager, Vault).
- Inject them at runtime via environment variables.
- Never commit them to source control.
- Rotate them through the Kindo Terminal if you suspect exposure.
Identity and permissions
API keys inherit the permissions of the user who created them. Specifically:
- Model and provider access restrictions configured on the user’s user groups apply to API requests.
- Personal API Key Access must be enabled on at least one user group the user belongs to.
- Ask Mode Only is enforced on
/v1/responses. - DLP filters that protect the Terminal UI also apply to API requests.
- All API calls are recorded in your organization’s audit trail.
Self-managed deployments
For self-managed Kindo installations, replace api.kindo.ai
everywhere with your deployment’s API base URL. Header semantics,
key format, and identity rules are unchanged.
Errors
| Status | Meaning |
|---|---|
401 | The key was missing, malformed, or revoked. Check your Authorization / x-api-key header. |
403 | The key authenticated, but lacks permission for the model. |
Each protocol formats the error envelope differently — see the
per-API errors page (/apis/<protocol>/errors/) for shapes.
See also
- Getting started — pick your client.
- Model catalog — discover available model IDs once authenticated.