Getting started

Authentication

Mintoken uses a two-key model: one key identifies you on the proxy, the other is your own provider key that we forward upstream. Understanding the split is 90% of knowing how to use the API.

The two keys

Key	Where it goes	What it does
`mt_live_…` mintoken key	`Authorization: Bearer …`	Identifies your mintoken account. Used to track usage, apply plan quotas, and scope your analytics.
`sk-…` / `sk-ant-…` / Google API key provider key	`X-Provider-Key: …`	Your own OpenAI / Anthropic / Google key. Mintoken forwards it to the upstream provider and never persists it.

curl https://api.mintoken.in/v1/chat/completions \
  -H "Authorization: Bearer mt_live_xxxxx" \
  -H "X-Provider-Key: sk-proj-xxxxx" \
  -H "Content-Type: application/json" \
  -d '{ "model": "gpt-4o-mini", "messages": [...] }'

Why not just one key?

We could hold your provider key server-side and give you only a mintoken key, but that means we'd need to encrypt, rotate, and audit access to your provider credentials. The two-key model keeps you in control — your OpenAI bill is still charged to your OpenAI account, not ours, and if you revoke your provider key upstream, that immediately cuts mintoken off too.

Creating mintoken API keys

The easiest way to create a key is in the dashboard: click New key, pick a name and intensity, done. You'll see the raw key in a confirmation modal — copy it immediately, because it's not recoverable.

Programmatically

Key management endpoints live under /v1/auth/keys and authenticate with a Supabase access token (the JWT returned from POST /v1/auth/login), not with a mintoken key. See the Key management reference for the full API.

Key rotation

If a key leaks — commits, logs, accidental screen-shares — rotate immediately. Mintoken keys can't be edited in place; rotation means creating a new one and revoking the old:

# Create a new key
curl -X POST https://api.mintoken.in/v1/auth/keys \
  -H "Authorization: Bearer <supabase-jwt>" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production v2", "intensity": "full"}'

# Response (raw_key shown exactly once):
# {
#   "id": "…", "raw_key": "mt_live_abc123…",
#   "key_prefix": "mt_live_abc1", "name": "Production v2", …
# }

# Revoke the old key
curl -X DELETE https://api.mintoken.in/v1/auth/keys/<old-key-id> \
  -H "Authorization: Bearer <supabase-jwt>"

Revoked keys fail closed

The instant you revoke a key, every in-flight request using it returns401 Invalid API key. There is no soft cutover. Deploy the new key everywhere, then revoke the old one.

The X-Provider-Key header

Your provider key is sent on every request in the X-Provider-Keyheader. Mintoken uses it to authenticate to the upstream provider and then discards it — we don't log it, store it, or include it in error responses.

Specifics by provider:

Provider	Endpoint	Upstream header mintoken writes
OpenAI	`/v1/chat/completions`	`Authorization: Bearer <your-key>`
Anthropic	`/v1/messages`	`x-api-key: <your-key>`
Google	`/v1/generateContent`	`?key=<your-key>` (query param)

Auth errors

Status	Meaning
`401 Missing API key`	No `Authorization: Bearer …` header. Add it.
`401 Invalid API key`	Key format wrong, key not found, or key was revoked. Check prefix — valid keys start with `mt_live_`.
`400 Missing X-Provider-Key header`	You're authenticated with mintoken but didn't include your upstream provider key.
`429 token quota exceeded`	You've hit the monthly token limit on your plan. Upgrade in the dashboard.

← Previous

Quickstart

OpenAI proxy