Authentication

JoyToken uses API key authentication. Model calls should be sent from your server and use Bearer tokens.

Request Headers

HeaderRequiredDescription
AuthorizationYesBearer $JOY_TOKEN_API_KEY
Content-TypeYesapplication/json
X-Request-IDRecommendedLog, billing, and debugging correlation
X-API-KeyOptionalCompatibility header for older clients; not recommended for new integrations

Do not send both Authorization and X-API-Key on the same request. If both are present, the current gateway reads X-API-Key first.

cURL Example

Set JOY_TOKEN_OPENAI_BASE_URL from Environments before running examples.

$curl "$JOY_TOKEN_OPENAI_BASE_URL/chat/completions" \
> -H "Authorization: Bearer $JOY_TOKEN_API_KEY" \
> -H "Content-Type: application/json" \
> -H "X-Request-ID: auth-example-001" \
> -d '{
> "model": "auto",
> "messages": [{ "role": "user", "content": "ping" }]
> }'

Server-Side Proxy

Browsers and mobile apps should not hold JoyToken API keys. Recommended structure:

Browser / App -> Your backend -> JoyToken
1export async function POST(req: Request) {
2 const body = await req.json();
3 const openAIBaseUrl = process.env.JOY_TOKEN_OPENAI_BASE_URL;
4
5 const response = await fetch(`${openAIBaseUrl}/chat/completions`, {
6 method: "POST",
7 headers: {
8 "Content-Type": "application/json",
9 Authorization: `Bearer ${process.env.JOY_TOKEN_API_KEY}`,
10 "X-Request-ID": crypto.randomUUID(),
11 },
12 body: JSON.stringify(body),
13 });
14
15 return new Response(response.body, {
16 status: response.status,
17 headers: response.headers,
18 });
19}

Checks After Authentication

CheckFailure response
Key is valid and active403 invalid_api_key
IP, tier, and model policy403 policy_rejected
Wallet balance and key budget402 insufficient_quota
Request body validity400 invalid_request_error

Rotate an API Key

  1. Create a new key with the same or stricter policy.
  2. Write it to your server-side secret manager or environment variables.
  3. Send one verification request with X-Request-ID.
  4. Confirm logs and usage in JoyToken Console.
  5. Disable or revoke the old key.

Security Practices

PracticeReason
One key per app and environmentEasier budgets, policy, and usage attribution
Set budgets and tier limits for production keysCost control
Use separate keys for high-risk agentsAvoid unattended overspend
Revoke leaked keys immediatelyDo not keep using exposed keys