Skip to main content
All API endpoints (except GET /health) require authentication via a Bearer token in the Authorization header.

API Key Format

Keys are prefixed with theo_sk_ for identification:
All keys are production keys — requests are billed against your credit balance.

Making Authenticated Requests

Include the key in every request:
Always call the www host. The apex hitheo.ai 307-redirects to www.hitheo.ai and most HTTP clients strip the Authorization header on 3xx responses — the redirected request arrives unauthenticated and returns 401. See 401 Troubleshooting for the full picture.
With the SDK, pass it during initialization:

Key Management

Create and manage keys from the API Dashboard or via the API:

First-Run Diagnostic

If anything doesn’t work on the first call, run the SDK verifier before hunting through logs:
Common failure modes and fixes live on the 401 Troubleshooting page.

Security Best Practices

Never expose API keys in client-side code, public repositories, or logs.
  • Store keys in environment variables or a secrets manager
  • Use test keys (theo_sk_test_) for development
  • Rotate keys regularly from the dashboard
  • Set per-key rate limits and spending caps

Error Responses