Getting started

Authentication

The LoopLlama API authenticates every request with an API key sent as a Bearer token. Keys carry the full access of the account that created them — treat them like passwords.

API keys#

Create, name, and revoke keys from the API Keys page in your dashboard. A key looks like this:

text

ll_live_aB3dEf6hIjKlMnOpQrStUvWxYz01234567890abc

Every key is prefixed with ll_live_.
The full secret is shown once, at creation time. We only store a hash, so we can never display it again.
The dashboard lists keys by their short prefix (the first 12 characters) and the time each was last used.

Authorizing a request#

Send the key in the Authorization header using the Bearer scheme:

bash

curl https://api.loopllama.ai/v1/workflows \
  -H "Authorization: Bearer ll_live_..."

All requests must be made over HTTPS; calls over plain HTTP will fail. Requests without a valid key receive a 401 Unauthorized response.

Keep keys secret

Never embed an API key in client-side code, a mobile app, or a public repository. Keys belong on your server or in a secrets manager. If a key is exposed, revoke it immediately and issue a new one.

Authentication errors#

A request fails authentication when the header is missing or the key is not recognized. The response body always contains an error field:

json

{ "error": "Missing Bearer token" }

Missing Bearer token — no Authorization: Bearer … header was sent.
Invalid token format — the token is present but is not a LoopLlama key (it must start with ll_live_).
Invalid API key — the key is well-formed but unknown or revoked.

Rotating keys#

Keys never expire on their own — they remain valid until revoked. To rotate a key safely:

Create a new key in the dashboard.
Deploy it to your environment and confirm traffic is flowing.
Revoke the old key. Revocation takes effect immediately.

Issue a separate key per environment or service so you can revoke one without disrupting the others.