Authentication
Secret vs publishable keys, header shapes, and endpoint restrictions.
Key kinds
| Kind | Prefix | Where to use | Scope |
|---|---|---|---|
| Secret | lm_live_… / lm_test_… | Servers, CI, edge functions | Full REST (logos, JSON, batch, refresh, …) |
| Publishable | Distinct *_pub_* pattern | <img src> and public GET logo URLs | GET image/logo routes only |
When a publishable key hits a non-logo route, the Worker returns a problem+json error explaining the restriction.
Publishable keys are GET-only on logo routes
Publishable derivatives are designed to ride in <img src> URLs. Color, intelligence, brand-kit, and batch routes reject them on purpose so leaked tokens can't drain JSON quotas.
Header & query extraction
The Worker accepts, in order:
x-api-key: <key>Authorization: Bearer <key>?token=<key>(required for publishable keys in browsers)
Values are normalised (quotes and stray whitespace stripped).
Anonymous demo
Logo routes allow no key for small (≤128px) previews. You share a shared IP budget — add a free key for predictable limits.
Rotation
Disable a compromised key in the dashboard and create a replacement. KV caches roll forward within minutes; use ADMIN_GRANT_SECRET tooling in production if you need an immediate bust (internal).
Related
| Topic | Links |
|---|---|
| Quick steps | /docs/quickstart |
| OpenAPI schemes | /docs/api/openapi |
| Server JSON | /docs/api/intelligence, /docs/api/brand-endpoints |
| Billing context | /docs/billing/how-billing-works |
| Playground | /docs/playground |