Authentication
Every request to POST /v1/research must be authenticated via an API key.
API keys
Pass your secret key in the X-API-Key header:
curl -X POST https://api.bahith.dev/v1/research \
-H "Content-Type: application/json" \
-H "X-API-Key: bh_live_your_key_here" \
-d '{ "query": "..." }'Keys are prefixed with bh_live_. Bahith stores only a SHA-256 hash of your
key, so it can never be shown to you again after creation — treat it like a
password.
Never embed a bh_live_ key in client-side code, a mobile app, or a public
repo. Call Bahith from your backend and keep the key in a secret manager or
environment variable.
Managing keys
From your dashboard → API Credentials you can:
- Generate a new key (shown once).
- Roll your key — this revokes the previous one and issues a replacement.
- See each key's created and last used timestamps.
Rolling a key immediately invalidates the old one. Update your integration before rolling in production.
Errors
A missing, malformed, or revoked credential returns 401:
{
"error": {
"type": "authentication_error",
"code": "INVALID_API_KEY",
"message": "Invalid or missing API key. Set X-API-Key header or Authorization: Bearer <key>"
}
}See Errors & limits for the full list.