Authentication

Foxora supports two ways to authenticate gateway requests: a Supabase JWT (used by the dashboard and desktop app) and a long-lived system API key (used by your own backends).

Pick the right token

Supabase JWT — obtained from sign-in. Short-lived (~1 hour). Use this for browser and desktop clients that already have a user session.
System API key — created in the dashboard, prefixed with foxora_sk_. Long-lived. Use this for backend services and CLIs.

Never put a system key in a browser

System keys grant full access to your account’s usage and spend. Keep them server-side only. If a key leaks, rotate it immediately from the dashboard.

Sending the token

Both token types go in the same header:

http

Authorization: Bearer YOUR_TOKEN_HERE

Creating a system key

Open Dashboard → Settings.
Scroll to API keys.
Click + New key, give it a name, and copy the value once — it isn’t shown again.
Store it in your secret manager or .env.

.env

FOXORA_API_KEY=foxora_sk_live_abc123...

Rotating & revoking

From the same settings page you can rotate (issue a new value) or revoke (delete) any key. Revoked keys stop working within seconds.

Verifying a token

To confirm a token is healthy, hit GET /v1/me. A 200 response means the token is valid and tells you which plan you’re on. See /v1/me.

PreviousAPI overview Next POST /v1/chat/completions