Authentication
JoyToken uses API key authentication. Model calls should be sent from your server and use Bearer tokens.
Request Headers
Do not send both Authorization and X-API-Key on the same request. If both are present, the current gateway reads X-API-Key first.
cURL Example
Set JOY_TOKEN_OPENAI_BASE_URL from Environments before running examples.
Server-Side Proxy
Browsers and mobile apps should not hold JoyToken API keys. Recommended structure:
Checks After Authentication
Rotate an API Key
- Create a new key with the same or stricter policy.
- Write it to your server-side secret manager or environment variables.
- Send one verification request with
X-Request-ID. - Confirm logs and usage in JoyToken Console.
- Disable or revoke the old key.