Authentication

How to get an API key, where to put it, and what a 401 looks like so you know immediately if something is wrong.

Get an API key

1Sign up or sign in.
2Go to API Keys in your dashboard.
3Click Create key. Give it a name (e.g. "Production server") and choose the environment.

Key prefix	Environment
pk_live_…	Production — use in servers and CI
pk_test_…	Sandbox — safe for local development

Both key types work for rendering — the prefix only affects how usage is attributed in your dashboard.

Bearer header (POST requests)

For server-side code — Node.js, Python, Go, cURL — pass the key in the Authorization header:

text

Authorization: Bearer pk_live_YOUR_API_KEY

bash

curl -X POST https://chart-output.com/api/v1/render \
  -H "Authorization: Bearer pk_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  --output chart.png \
  -d '{"type":"bar","data":{"labels":["A","B"],"datasets":[{"data":[1,2]}]}}'

The word Bearer followed by a single space is required. A header without the prefix returns a 401 with the message "Invalid Authorization format."

Query parameter (GET / image embeds)

Browsers cannot send Authorization headers with <img src> requests. Use a query parameter instead:

html

<!-- key= and apiKey= are both accepted -->
<img
  src="https://chart-output.com/api/v1/render?key=pk_live_YOUR_KEY&type=bar&labels=A,B&data=1,2&format=png"
  alt="Chart"
  width="600"
  height="300"
/>

Both ?key= and ?apiKey= are accepted. The header takes precedence if both are present.

Anonymous requests

Requests with no Authorization header and no key query parameter are allowed and return 200 at anonymous/starter plan limits (PNG only, lower quota). This is intentional — you can try the API without signing up.

401 is only returned when an Authorization header is present but the key is invalid or malformed. Omitting auth entirely is not an error.

Debugging 401s

There are two distinct 401 bodies:

Invalid or revoked key

json

{ "error": "Invalid API key" }

Malformed header (missing "Bearer " prefix)

json

{ "error": "Invalid Authorization format. Use: Bearer <api_key>" }

Symptom	Fix
`"Invalid API key"`	Copy the key exactly from the dashboard — no extra spaces, newlines, or quotes
`"Invalid Authorization format"`	Header must be `Authorization: Bearer pk_live_…` — note the space after `Bearer`
200 but anonymous quota	Your header or query param isn't reaching the server — check HTTP client configuration
401 in `<img>` tag	Use `?key=` in the URL — browsers can't send headers with image requests