API Reference
Authentication
API key usage across SDK, React, and REST API tracks.
One rule for all tracks
For authenticated workflows, send a valid API key from the API Keys dashboard.
For public workflows (authentication turned off), x-api-key is not required. Access is controlled by the workflow allowlist using request Origin / Referer.
amarsia.init(options)
import { amarsia } from "@amarsia/sdk"const client = amarsia.init({apiKey: process.env.AMARSIA_API_KEY!,deploymentId: "dep_123",})await client.run({content: [{ type: "text", text: "Hello" }],})Pass apiKey in amarsia.init(...). The SDK adds the auth header on every request automatically — you never touch it again.
| Option | Type | Required |
|---|---|---|
apiKey | string | No (required only for authenticated workflows) |
deploymentId | string | No |
baseUrl | string | No |
dangerouslyAllowBrowserApiKey | boolean | No |
fetch | function | No |
Public workflows (allowlist auth)
If a workflow has Authentication disabled in the dashboard:
- You can omit
apiKeyin SDK and omitx-api-keyin REST. - Access is checked against the workflow allowlist (origin/referrer).
- Requests from disallowed origins return
403.
Common auth errors
| Status | Meaning | Fix |
|---|---|---|
401 | Missing or invalid key for authenticated workflow | Pass a valid key |
403 | Origin or key not allowed | Check allowlist / project permissions |
Security basics
- Keep keys server-side only
- Never commit keys to git
- Rotate immediately if leaked