Authentication
API keys and the headers you'll use on every call.
API keys
beatra uses bearer-token authentication. Every request carries:
Create and revoke keys at dashboard.beatra.ai under Settings → API Keys.
Key properties
- Project-scoped — keys belong to a tenant project and can be revoked independently.
- Prefix-visible / suffix-secret — the first 12 characters are recoverable from the dashboard; the rest is shown once at creation.
- Revocable — revocation propagates within ~30 seconds.
Rotating a key
Create a new key, deploy it to your servers, then revoke the old one. Both can be active in parallel during the cutover; there's no atomic rotation flow. Rotate on any personnel change or suspected leak.
Test vs live
Keys do not carry a test/live mode. Set up a separate project under
your tenant for sandbox traffic; that project gets its own key.
Base URL
Use the public API base URL for current integrations:
Region and data-residency fields may appear in schemas as future expansion points, but regional public entrypoints are not a setup step today.
Headers you'll use
| Header | Required? | Purpose |
|---|---|---|
Authorization | yes | Bearer <api_key> |
Content-Type | yes | application/json (most endpoints) |
Idempotency-Key | strongly | Dedup window 24h; safe-retry your POSTs |
X-Request-Id | optional | Echoed on every response and in logs |
Response headers
Every response includes the request correlation id:
| Header | Meaning |
|---|---|
X-Request-Id | Client-provided request id, or one generated by beatra |
Rate-limit headers are planned, but are not part of the current public
runtime contract. For sync chat, the resolved model is the response body's
model field.
What you don't need
- No SDK. Standard HTTP works; OpenAI's official SDKs are wire-compatible for text chat and Preview model listing.
- No OAuth. Bearer keys only.
- No vendor-specific public headers. Use only the headers listed above.
- No webhook subscription management. Customer callbacks are Planned and per-request; see The async task model.