All API requests require an API key passed in the Authorization header.
Using your API key
Include your key as a Bearer token in every request:
curl https://runbase.net/api/v1/runs \
-H "Authorization: Bearer sk-your-key-here" \
-H "Content-Type: application/json" \
-d '{"model": "google/nano-banana-2", "input": {"prompt": "hello"}}'API keys always start with sk-.
Creating a key
- Go to Settings → API Keys in the dashboard
- Click Create Key
- Copy the key immediately — it's only shown once
You can create multiple keys to separate usage across projects or environments.
IP whitelisting
For production use, you can restrict an API key to specific IP addresses:
- Go to Settings → API Keys
- Click the edit icon on the key you want to configure
- Add up to 10 IP addresses
Requests from unlisted IPs will receive a 403 ip_not_allowed error.
Spend limits
Set a lifetime spend cap on a key to prevent unexpected charges:
- Go to Settings → API Keys
- Click the edit icon on the key
- Set a spend limit in cents
Once the key's cumulative spend reaches the limit, further requests will receive a 403 api_key_spend_limit_exceeded error. You can raise the limit at any time.
Disabling a key
You can disable a key without deleting it. Disabled keys return 401 invalid_api_key on all requests. Re-enable it when you need it again.
Security best practices
- Never commit API keys to version control
- Use environment variables to store keys
- Create separate keys for development and production
- Set IP whitelists on production keys
- Set spend limits to cap exposure