Authentication
Understand runtime API keys, CLI browser login tokens, and how to keep LatentKit credentials safe.
LatentKit uses two credential types:
| Credential | Prefix | Best for | How you get it |
|---|---|---|---|
| Runtime API key | lk_... | Your application, server, worker, CI runtime calls | Create or rotate in API Keys |
| CLI account token | lkia_... | Human terminal login, control-plane inspection, logs, traces, routes, keys | latentkit login browser approval |
Most application code should use a runtime API key. The CLI can use browser login so humans do not need to copy raw API keys into their terminals.
Runtime API header
Send your raw API key on every /v1/* request:
Authorization: Bearer <LATENTKIT_API_KEY>
Content-Type: application/jsonBase URL
https://ai.latentkit.comSDKs default to this base URL and normalize paths to /v1.
Where runtime API keys come from
- Sign in to console.latentkit.com
- Open API Keys or use the default key from AI Router
- Copy the secret when created and store it in your server environment
Use this environment variable name in examples:
export LATENTKIT_API_KEY="lk_..."The JavaScript SDK, Python SDK, cURL, and CI commands can all read this value.
CLI browser login
For terminal use:
npm install -g @latentkit/cli
latentkit login
latentkit whoamilatentkit login opens a browser approval flow and stores a local profile. That profile is useful for:
latentkit whoamilatentkit appslatentkit logslatentkit traceslatentkit routeslatentkit keyslatentkit ci check
For non-interactive CI, do not use browser login. Set LATENTKIT_API_KEY instead.
Security rules
Never expose raw API keys, CLI profile files, or provider secrets in frontend code, public repos, screenshots, logs, or AI tool prompts. Load secrets from environment variables or a secrets manager on the server only.
- Rotate keys from the console if a secret may have leaked
- Use separate keys per environment (development, staging, production)
- Log
X-LK-Request-IDon failures for support correlation - Use
--jsonfor CLI automation and avoid printing secrets
Invalid or missing keys
| Condition | Typical response |
|---|---|
| Missing key | 401 with error.code: "INVALID_API_KEY" |
| Invalid or revoked key | 401 with error.code: "INVALID_API_KEY" |
See Error handling for the full error contract.