Authentication
API key authentication, rate limits, and origin whitelisting.
Authentication
All requests to the molroo API require authentication via an API key. This guide covers key management, request format, rate limits, and error handling.
Get your API key
- Sign in to the molroo dashboard
- Navigate to API Keys
- Click Create Key and copy the generated key
Your API key is shown only once at creation time. Store it securely. If you lose it, revoke the old key and create a new one.
Key format
molroo API keys use a prefix to indicate their environment:
| Prefix | Environment | Description |
|---|---|---|
mk_live_ | Production | Full access, usage is billed |
mk_test_ | Sandbox | For development and testing |
Example: mk_live_a1b2c3d4e5f6g7h8i9j0
Using the API key
With the SDK
The SDK handles authentication automatically. Pass your key in the client config:
import { MolrooWorld } from '@molroo-ai/sdk';
const world = await MolrooWorld.create({
baseUrl: 'https://api.molroo.io',
apiKey: 'mk_live_xxxxx',
llm,
});With raw HTTP requests
Include the key in the X-API-Key header:
curl https://api.molroo.io/worlds \
-H "X-API-Key: mk_live_xxxxx" \
-H "Content-Type: application/json"Rate limits
Rate limits are enforced per API key and vary by plan:
| Plan | Rate Limit |
|---|---|
| Free | 100 requests/min |
| Starter | 500 requests/min |
| Pro | 2,000 requests/min |
| Enterprise | Custom |
When you exceed the rate limit, the API returns a 429 status with the RATE_LIMITED error code. The response includes a Retry-After header indicating how many seconds to wait.
Origin whitelisting
For browser-based applications, you can restrict which origins are allowed to use your API key:
- Go to API Keys in the dashboard
- Click the key you want to configure
- Add allowed origins (e.g.,
https://myapp.com)
If no origins are configured, the key works from any origin. Adding even one origin enables the allowlist, blocking all other origins.
Error responses
All authentication and authorization errors follow a consistent format:
{
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing API key"
}
}Common error codes
| Code | HTTP Status | Description |
|---|---|---|
UNAUTHORIZED | 401 | Invalid or missing API key |
RATE_LIMITED | 429 | Too many requests, retry after the indicated delay |
WORLD_NOT_FOUND | 404 | The specified world ID does not exist or is not accessible |
ENTITY_NOT_FOUND | 404 | The specified entity does not exist in the world |
VALIDATION_ERROR | 400 | Request body failed schema validation |
Security best practices
- Never expose API keys in client-side code that is publicly accessible. Use a backend proxy or server-side rendering.
- Use
mk_test_keys during development to avoid unexpected billing. - Rotate keys periodically by creating a new key, updating your application, and revoking the old key.
- Configure origin whitelisting for any key used in browser environments.
- Use environment variables to store keys, never hardcode them in source code:
# .env
MOLROO_API_KEY=mk_live_xxxxxconst world = await MolrooWorld.create({
baseUrl: 'https://api.molroo.io',
apiKey: process.env.MOLROO_API_KEY!,
llm,
});