Authentication
All /v1/* image endpoints require an API key. Dashboard endpoints
(/v1/auth/*, /v1/usage, /v1/keys, /v1/billing/*) use a JWT
issued at signup/login.
API key
Two ways to send the same key:
Authorization: Bearer img_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX-Api-Key: img_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx- Created in the dashboard. Plaintext shown once at creation — copy it immediately, we only store the SHA-256 hash.
- Revoke any time from the dashboard. Revoked keys reject with 401.
- Each call updates the key's
last_used_atso you can tell if a key is still active.
JWT (dashboard)
Issued from POST /v1/auth/signup and POST /v1/auth/login as the
token field. Send as Authorization: Bearer <jwt>. Expires in 30 days.
Rate limits
- Global: 120 requests/min/IP.
- Auth endpoints (
/v1/auth/*): 10 requests/min/IP.
A 429 response includes Retry-After. Idempotent retries (same
Idempotency-Key) do not consume additional quota.
CORS
The gateway sends Access-Control-Allow-Origin: https://pixozip.pretzl.dev
by default. Use a server-side proxy if you need to call from a browser
origin we haven't allow-listed for you.