Get started

Authentication

Every Kiara API request carries an Authorization: Bearer … header. Keys are minted in the dashboard and never re-shown after creation.

Key shape

Bearer tokens

Live keys have the shape kiara_live_… and count against your balance. Sandbox keys have the shape kiara_test_… and run free, never charging credits. New accounts start with a zero balance — top up credits with crypto before running live generations.

Where to put it

Server-side only

Customer backends only. Never ship a Kiara key inside a browser bundle or a mobile app binary. Origin and IP restrictions below are defense in depth, not a substitute.

Defense in depth

Allowed origins & IPs

Each key supports an allowed-origin list and an allowed-IP list. Set them in /dashboard/keys. A request from an unlisted origin receives 403 origin_not_allowed; an unlisted IP receives 403 ip_not_allowed.

Rotation

Rotate keys

Create the new key, deploy it everywhere, then revoke the old one. Revoked keys return 401 authentication_failed immediately — there is no grace period.

Kiara API — image & video generation for your business.