Authentication
API keys guide: X-API-Key auth and prepaid call billing
Use Firebase-style X-API-Key authentication with ChefSphere prepaid token billing per call. Packs from $29. Early access—keys issue after onboarding, not before.

Keys are how calls authenticate—and how burn is attributed
ChefSphere developer calls authenticate with an X-API-Key in a Firebase-style model: present the key, invoke a module surface, and burn prepaid tokens from one shared balance. This guide is about key hygiene, environments, and attribution—not pack SKUs alone, and not relative burn weights across modules. Those topics live in prepaid-api-tokens and multi-module-token-billing so each URL keeps distinct intent for searchers and for your security review.
During early access You request access, we review, and keys arrive with onboarding when packs become available for your use case. We prioritize active builders so onboarding capacity stays focused.
Practical key hygiene for product teams
Treat keys like passwords: store them in secrets managers, never commit them to mobile binaries or public repos, and rotate when people leave the team. Separate keys by environment when onboarding provides them, so a leaky staging integration cannot drain production prepaid balance overnight. Log key identifiers for support without logging full secrets into analytics pipelines that become tomorrow’s incident.
Every authenticated call burns tokens according to the published operation weights, from cheap catalog reads to heavier AI vision, KYC, and checkout writes. Key-level attribution is how you notice a runaway job; pack size is how you fund capacity starting at $29 for 200,000 tokens. Unused tokens stay on the balance, but a leaked key can still spend them quickly if you are not watching.
Pair this guide with prepaid packs when finance asks how much capacity to buy, and with multi-module billing when engineering asks which calls dominate burn. Pair with developer early access when you do not have keys yet and need the request path explained. Illustrative docs may show header shapes; production contracts and real keys follow access.
What early access changes about keys
Until early access is granted, you should design clients against illustrative OpenAPI samples and a clear threat model for where keys will live later. Do not scrape sample paths into production assumptions, and do not invent endpoint lists that contradict marketing module surfaces. When access opens, buy a pack, receive keys, and call across modules on one ledger without rebuying meters.
Enterprise conversations from $300 per month can include dedicated limits and custom weights, but they still presume disciplined key handling. A larger pack does not forgive a key pasted into a Slack channel. Request early access with your expected environments and whether you need separate keys for staging and production from day one.
Ship auth boringly and correctly
Boring key management is a feature: short onboarding checklists beat clever custom auth schemes that your mobile team cannot rotate under pressure. Prefer server-side possession of keys whenever possible; if a client must call directly, assume the key will leak and plan rotation. Security reviews go faster when your story matches the Firebase-style X-API-Key model we market instead of inventing parallel gateways.
Related guides on prepaid tokens, multi-module billing, and developer early access complete the path from request to first attributed call. If you are ready, request early access and tell us which modules you will call first so key provisioning matches reality. We email when onboarding opens.
API keys highlights
X-API-Key authentication, secret hygiene, and prepaid burn attribution—distinct from pack SKUs and weight tables.
- Firebase-style X-API-Key on each billed call
- Keys provisioned through early access onboarding
- Separate environments and rotate on team changes
- Works with prepaid packs starting at $29
Common questions
- Can I generate an API key myself today?
- Request early access; we review and provision keys when onboarding opens for your use case. Packs open with access.
- Is X-API-Key the same as end-user login?
- No. X-API-Key authenticates your application’s calls to ChefSphere and attributes prepaid token burn. End-user identity and sessions are a separate platform module.
- How do keys relate to prepaid packs?
- Packs fund your shared token balance. Keys authenticate calls that spend that balance. Losing a key can spend capacity; buying a pack without key hygiene still risks leaks.
- Where should I store keys in a mobile app?
- Prefer server-side possession. If a client must hold a key, assume leakage risk, use the least privilege available at onboarding, and plan rotation. Confirm guidance during early access.