LatentKit

Authentication

Understand runtime API keys, CLI browser login tokens, and how to keep LatentKit credentials safe.

LatentKit uses two credential types:

CredentialPrefixBest forHow you get it
Runtime API keylk_...Your application, server, worker, CI runtime callsCreate or rotate in API Keys
CLI account tokenlkia_...Human terminal login, control-plane inspection, logs, traces, routes, keyslatentkit login browser approval

Most application code should use a runtime API key. The CLI can use browser login so humans do not need to copy raw API keys into their terminals.

Runtime API header

Send your raw API key on every /v1/* request:

Authorization: Bearer <LATENTKIT_API_KEY>
Content-Type: application/json

Base URL

https://ai.latentkit.com

SDKs default to this base URL and normalize paths to /v1.

Where runtime API keys come from

  1. Sign in to console.latentkit.com
  2. Open API Keys or use the default key from AI Router
  3. Copy the secret when created and store it in your server environment

Use this environment variable name in examples:

export LATENTKIT_API_KEY="lk_..."

The JavaScript SDK, Python SDK, cURL, and CI commands can all read this value.

CLI browser login

For terminal use:

npm install -g @latentkit/cli
latentkit login
latentkit whoami

latentkit login opens a browser approval flow and stores a local profile. That profile is useful for:

  • latentkit whoami
  • latentkit apps
  • latentkit logs
  • latentkit traces
  • latentkit routes
  • latentkit keys
  • latentkit ci check

For non-interactive CI, do not use browser login. Set LATENTKIT_API_KEY instead.

Security rules

Never expose raw API keys, CLI profile files, or provider secrets in frontend code, public repos, screenshots, logs, or AI tool prompts. Load secrets from environment variables or a secrets manager on the server only.

  • Rotate keys from the console if a secret may have leaked
  • Use separate keys per environment (development, staging, production)
  • Log X-LK-Request-ID on failures for support correlation
  • Use --json for CLI automation and avoid printing secrets

Invalid or missing keys

ConditionTypical response
Missing key401 with error.code: "INVALID_API_KEY"
Invalid or revoked key401 with error.code: "INVALID_API_KEY"

See Error handling for the full error contract.

Next

On this page