Authentication
SharkApi.dev uses Bearer token authentication. Every API request must include a valid token in the Authorization header.
Overview
API tokens are long-lived credentials tied to your account. You can create multiple tokens — one per project, environment, or team member. Revoking a token immediately invalidates all requests using it.
API Tokens
Creating a token
Go to Dashboard → API Tokens and click New Token. Give it a descriptive name (e.g. production-app or staging-backend).
⚠
The full token value is shown only once at creation time. Copy and store it securely immediately — you cannot retrieve it later.
Token states
| Parameter | Type | Required | Description |
|---|---|---|---|
| active | state | Optional | Token is valid and can authenticate API requests. |
| revoked | state | Optional | Token has been manually invalidated. All requests using it will fail. |
| unused | state | Optional | Token has never been used to make a request. |
Using your token
Include the token as a Bearer credential in the Authorization HTTP header on every request.
Authorization header
http
Authorization: Bearer sk_live_your_token_here
cURL example
bash
curl https://api.sharkapi.dev/v1/generate \
-H "Authorization: Bearer sk_live_your_token_here" \
-H "Content-Type: application/json" \
-d '{"mode":"1k","prompt":"Bioluminescent deep sea"}'JavaScript / Node.js
javascript
const res = await fetch("https://api.sharkapi.dev/v1/generate", {
method: "POST",
headers: {
"Authorization": `Bearer ${process.env.SHARKAPI_TOKEN}`,
"Content-Type": "application/json",
},
body: JSON.stringify({ mode: "1k", prompt: "Bioluminescent deep sea" }),
});Security tips
Treat your API token like a password. Follow these best practices:
→Store tokens in environment variables, never hardcode them in source files.
→Never expose tokens in client-side JavaScript or browser code.
→Create separate tokens per environment (dev, staging, production).
→Rotate tokens periodically and immediately if you suspect a leak.
→Revoke unused tokens to reduce your attack surface.
⛔
If a token is exposed publicly (e.g. pushed to a public GitHub repo), revoke it immediately from your dashboard and create a new one.
Authentication errors
| Parameter | Type | Required | Description |
|---|---|---|---|
| 401 Unauthorized | HTTP | Optional | Missing or malformed Authorization header. |
| 403 Forbidden | HTTP | Optional | Token is valid but has been revoked or belongs to a suspended account. |
| 429 Too Many | HTTP | Optional | Rate limit exceeded. Slow down your requests. |