Skip to main content

Getting Your API Key

  1. Log in to your anyformat account
  2. Navigate to the API Key page to generate a new API key and copy it. For security reasons, the API key will only be displayed once.

Authentication Method

Use your API key in the Authorization header with Bearer format:
Authorization: Bearer YOUR_API_KEY

Using Your API Key

Include your API key in the request headers for all API requests:
curl "https://api.anyformat.ai/v2/workflows/" \
     -H "Authorization: Bearer YOUR_API_KEY"
import os
from anyformat.sdk import Client

# Pass explicitly
client = Client(api_key="your_api_key_here")

# Or read from the environment
client = Client(api_key=os.environ["ANYFORMAT_API_KEY"])
import requests

headers = {
    "Authorization": "Bearer YOUR_API_KEY"
}

response = requests.get(
    "https://api.anyformat.ai/v2/workflows/",
    headers=headers
)
const response = await fetch('https://api.anyformat.ai/v2/workflows/', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY'
  }
});

const data = await response.json();
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.net.URI;

HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.anyformat.ai/v2/workflows/"))
    .header("Authorization", "Bearer YOUR_API_KEY")
    .GET()
    .build();

HttpResponse<String> response = client.send(request,
    HttpResponse.BodyHandlers.ofString());
package main

import (
    "net/http"
)

func main() {
    client := &http.Client{}
    req, _ := http.NewRequest("GET", "https://api.anyformat.ai/v2/workflows/", nil)
    req.Header.Add("Authorization", "Bearer YOUR_API_KEY")

    resp, _ := client.Do(req)
}
use reqwest;

fn main() {
    let client = reqwest::blocking::Client::new();
    let response = client.get("https://api.anyformat.ai/v2/workflows/")
        .header("Authorization", "Bearer YOUR_API_KEY")
        .send()
        .unwrap();

    println!("{}", response.text().unwrap());
}
The API accepts the Authorization header in any casing (for example, authorization, Authorization, or AUTHORIZATION). HTTP headers are case-insensitive per the HTTP specification.

Verifying a Key

Call GET /key-check/ to confirm a key is active before your first real request. It returns 200 with the owning organization on success and the standard 401 error envelope (MISSING_API_KEY / INVALID_API_KEY) otherwise. Nothing is billed and no run is created.

API Key Scoping

Each API key is tied to a single organization. All API requests made with that key operate within that organization’s data — you can only access workflows, files, and webhooks belonging to that organization.
  • A user who belongs to multiple organizations needs a separate API key for each one
  • Generating a new API key automatically revokes the previous key for the same organization
  • API keys grant the same access level as the user who created them (there are no granular scopes or permission restrictions on keys)
API keys are managed in the anyformat platform. The API does not expose key management endpoints.

Public Endpoints

The following endpoints do not require API key authentication:
  • / - API root
  • /health/ - Health check
  • /schema/ - OpenAPI schema
  • /docs/ - Swagger UI documentation

Revoking a Key

Generate a new key to automatically revoke the old one.

Security Best Practices

  1. Never share your API key - Treat it like a password
  2. Rotate keys periodically - Generate new keys on a regular schedule
  3. Use environment variables - Store keys in environment variables in production
  4. Monitor key usage - Watch for suspicious activity in your account
  5. Never expose in client-side code - API keys should only be used server-side
If you need to generate a new API key or suspect your key has been compromised, visit the API Key page in your anyformat app immediately.