PrivateMind uses bearer tokens. Every request must include:
Text
Authorization: Bearer <ACCESS_KEY_ID>:<SECRET>The two halves are joined by a colon and passed as one token.
Key shape
- Access key id: 32 characters, prefixed
PMIND. Encodes the owning user. - Secret: 64 hexadecimal characters. Stored on the server only as a one-way hash (cannot be reversed).
Example:
Text
PMIND...:...The full string, including the colon, is the bearer token. Treat it as a single opaque secret.
Creating, rotating, revoking
API keys are managed at Settings → API Keys:
- Create: name, monthly budget cap (USD), optional expiry. The secret is shown once at creation.
- Rotate: create a new key, swap it into your client, then revoke the old one.
- Revoke: takes effect immediately. The next request returns
401.
There is no API for minting keys programmatically today.
What a key carries
- Which models you can call. Org-level model access is enforced by the API. Calling a model your org isn't entitled to returns
403. - How much you can spend. Each request's tokens are priced and deducted. When spend hits the cap, calls return
402until raised. - How fast you can call. Per-key requests-per-minute, enforced via sliding window. Exceeding returns
429.
Security
Treat keys like passwords. Anyone with the full bearer string can spend against your budget until you revoke it.
- Don't commit keys to source control. Use environment variables or a secret manager.
- Don't ship keys to browsers. The API is intended for server-side use; if you need browser access, proxy through your own backend.
- Rotate on a schedule, and immediately if you suspect exposure.
Verifying a key works
cURL
curl -s -o /dev/null -w "%{http_code}\n" \
"https://api.privatemind.com/v1/models" \
-H "Authorization: Bearer $PMIND_KEY"200 means the key is valid and active. See Errors for other codes.
Where next
- Quickstart for an end-to-end first request.
- Rate limits for the budget and RPM ceilings your key enforces.
- Errors for the full status-code map.
