Authentication

Every request to POST /v1/research must be authenticated via an API key.

API keys

Pass your secret key in the X-API-Key header:

bash
curl -X POST https://api.bahith.dev/v1/research \
  -H "Content-Type: application/json" \
  -H "X-API-Key: bh_live_your_key_here" \
  -d '{ "query": "..." }'

Keys are prefixed with bh_live_. Bahith stores only a SHA-256 hash of your key, so it can never be shown to you again after creation — treat it like a password.

Never embed a bh_live_ key in client-side code, a mobile app, or a public repo. Call Bahith from your backend and keep the key in a secret manager or environment variable.

Managing keys

From your dashboardAPI Credentials you can:

  • Generate a new key (shown once).
  • Roll your key — this revokes the previous one and issues a replacement.
  • See each key's created and last used timestamps.

Rolling a key immediately invalidates the old one. Update your integration before rolling in production.

Errors

A missing, malformed, or revoked credential returns 401:

json
{
  "error": {
    "type": "authentication_error",
    "code": "INVALID_API_KEY",
    "message": "Invalid or missing API key. Set X-API-Key header or Authorization: Bearer <key>"
  }
}

See Errors & limits for the full list.