All API endpoints (except GET /health) require authentication via a Bearer token in the Authorization header.
Keys are prefixed with theo_sk_ for identification:
All keys are production keys — requests are billed against your credit balance.
Making Authenticated Requests
Include the key in every request:
curl https://hitheo.ai/api/v1/completions \
-H "Authorization: Bearer theo_sk_live_..." \
-H "Content-Type: application/json" \
-d '{"prompt": "Hello"}'
import { Theo } from "@hitheo/sdk";
const theo = new Theo({ apiKey: process.env.THEO_API_KEY! });
Key Management
Create and manage keys from the API Dashboard or via the API:
# Create a key
curl -X POST https://hitheo.ai/api/v1/keys \
-H "Authorization: Bearer $THEO_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Production Server"}'
Security Best Practices
Never expose API keys in client-side code, public repositories, or logs.
- Store keys in environment variables or a secrets manager
- Use test keys (
theo_sk_test_) for development
- Rotate keys regularly from the dashboard
- Set per-key rate limits and spending caps
Error Responses
| Status | Error Code | Description |
|---|
| 401 | invalid_api_key | Key is missing, malformed, or revoked |
| 402 | insufficient_credits | Account has insufficient balance |
| 429 | rate_limit_exceeded | Too many requests — check Retry-After header |
