Authentication
The Vexrail API uses API key pairs for authentication. Every request to the API must include both your publishable key and secret key in the request headers.
Required Headers
| Header | Example | Description |
|---|---|---|
x-publishable-key | pk_live_abc123... | Identifies your publisher project. |
x-secret-key | sk_live_xyz789... | Authenticates the request. Must be kept confidential. |
Optional Headers
| Header | Example | Description |
|---|---|---|
x-conversation-id | 550e8400-e29b-41d4-a716-446655440000 | Groups messages into a conversation for context and analytics. |
Example Request
curl -X POST https://api.vexrail.com/v1/chat/completions \
-H "Content-Type: application/json" \
-H "x-publishable-key: pk_live_your_publishable_key" \
-H "x-secret-key: sk_live_your_secret_key" \
-H "x-conversation-id: unique-conversation-id" \
-d '{
"model": "gpt-4o-mini",
"messages": [
{"role": "user", "content": "Hello, world!"}
]
}'
Obtaining API Keys
API keys are generated from the Vexrail dashboard:
- Log in at app.vexrail.com.
- Navigate to your publisher project.
- Go to API Keys.
- Click Generate API Key.
See API Keys for the full guide.
Prerequisites
Before you can generate API keys and make API requests:
- Your publisher account must be activated.
- Your project domain must be verified.
- Your credit wallet must have a positive balance (for chat completions).
Key Security
- Never expose your secret key in client-side code, version control, or logs.
- Store keys in environment variables or a secrets manager.
- The publishable key can be included in client-side code if needed, but the secret key must remain server-side.
- If you suspect a key has been compromised, generate a new key pair immediately.
Error Responses
If authentication fails, the API returns an error response:
| Scenario | HTTP Status |
|---|---|
Missing x-publishable-key or x-secret-key | 401 Unauthorized |
| Invalid key | 401 Unauthorized |
| Key pair mismatch (keys from different pairs) | 401 Unauthorized |
| Inactive key | 401 Unauthorized |
| Domain not verified | 403 Forbidden |
| Insufficient credit balance | 403 Forbidden |
See Errors for the full error reference.