Authentication
Learn how to authenticate your API requests to GoodTake AI
Overview
The GoodTake AI API uses API keys to authenticate requests. All API requests must include a valid API key in the request headers. API keys are prefixed with gt_ and provide secure access to our AI generation endpoints.
Base URL: https://api.goodtake.ai
Getting Your API Key
To obtain an API key:
- Log in to your GoodTake account
- Navigate to Settings → Developer Settings
- Click Create New API Key
- Give your key a descriptive name (e.g., "Production App")
- Copy the key immediately - you won't be able to see it again
Security Warning: Treat your API keys like passwords. Never share them publicly or commit them to version control. Store them securely using environment variables or secret management systems.
Authentication Methods
The API accepts API keys in two ways:
Method 1: Authorization Header (Recommended)
Pass your API key as a Bearer token in the Authorization header:
curl https://api.goodtake.ai/api/v1/bytedance/generate-image \
-H "Authorization: Bearer gt_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"prompt": "A beautiful sunset over mountains"
}'Method 2: X-API-Key Header
Alternatively, you can use the X-API-Key header:
curl https://api.goodtake.ai/api/v1/bytedance/generate-image \
-H "X-API-Key: gt_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"prompt": "A beautiful sunset over mountains"
}'Authentication Examples
Python
import requests
API_KEY = "gt_your_api_key_here"
BASE_URL = "https://api.goodtake.ai"
headers = {
"Authorization": f"Bearer {API_KEY}",
"Content-Type": "application/json"
}
response = requests.post(
f"{BASE_URL}/api/v1/bytedance/generate-image",
headers=headers,
json={"prompt": "A beautiful sunset over mountains"}
)
print(response.json())JavaScript / Node.js
const API_KEY = "gt_your_api_key_here";
const BASE_URL = "https://api.goodtake.ai";
const response = await fetch(`${BASE_URL}/api/v1/bytedance/generate-image`, {
method: "POST",
headers: {
"Authorization": `Bearer ${API_KEY}`,
"Content-Type": "application/json"
},
body: JSON.stringify({
prompt: "A beautiful sunset over mountains"
})
});
const data = await response.json();
console.log(data);Go
package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
)
const (
APIKey = "gt_your_api_key_here"
BaseURL = "https://api.goodtake.ai"
)
func main() {
payload := map[string]string{
"prompt": "A beautiful sunset over mountains",
}
jsonData, _ := json.Marshal(payload)
req, _ := http.NewRequest(
"POST",
BaseURL+"/api/v1/bytedance/generate-image",
bytes.NewBuffer(jsonData),
)
req.Header.Set("Authorization", "Bearer "+APIKey)
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}cURL
# Using environment variable for security
export GOODTAKE_API_KEY="gt_your_api_key_here"
curl -X POST https://api.goodtake.ai/api/v1/bytedance/generate-image \
-H "Authorization: Bearer $GOODTAKE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"prompt": "A beautiful sunset over mountains",
"model": "seedream-4-5-251128"
}'Error Responses
401 Unauthorized
Returned when authentication fails:
{
"error": {
"code": "unauthorized",
"message": "Invalid or missing API key"
}
}Common causes:
- Missing
AuthorizationorX-API-Keyheader - Invalid API key format (must start with
gt_) - API key has been revoked or expired
- API key doesn't exist in our system
403 Forbidden
Returned when the API key is valid but lacks permission:
{
"error": {
"code": "forbidden",
"message": "Insufficient credits or quota exceeded"
}
}API Key Management
Key Security Best Practices
1. Use Environment Variables
Store API keys in environment variables, never hardcode them:
# .env file (add to .gitignore)
GOODTAKE_API_KEY=gt_your_api_key_here2. Rotate Keys Regularly
Create new keys and revoke old ones periodically to minimize security risks.
3. Use Different Keys for Different Environments
Maintain separate API keys for development, staging, and production environments.
4. Monitor Key Usage
Check the "Last Used" timestamp in your Developer Settings to detect unauthorized access.
Revoking an API Key
If you suspect your API key has been compromised:
- Navigate to Settings → Developer Settings
- Find the compromised key in the list
- Click Revoke or Delete
- Create a new API key immediately
- Update your applications with the new key
Once revoked, an API key cannot be restored. You must create a new one.
Key Metadata
Each API key includes the following information:
| Field | Description |
|---|---|
| Name | User-defined identifier (e.g., "Production App") |
| Prefix | First characters of the key (e.g., gt_abcd...) for identification |
| Created At | Timestamp when the key was generated |
| Last Used | Most recent successful authentication timestamp |
| Expires At | Optional expiration date (if set) |
| Status | Active or Revoked |
Rate Limiting
API keys are subject to rate limits based on your subscription tier. See Rate Limits for details.