Authentication - Croma API

All data endpoints require an API key. The public catalog (/catalog) and the OpenAPI spec (/openapi) do not.

Bearer scheme

Send your key in the Authorization header using the Bearer scheme:

Authorization: Bearer croma_live_xxxxxxxxxxxxxxxxxxxx

Organization-scoped keys only

Croma keys are minted for an organization, not an individual user. The API rejects personal keys with 401:

{
  "error": {
    "type": "authentication_error",
    "code": "personal_api_key_not_allowed",
    "message": "Personal API keys are not allowed. Use an organization key."
  }
}

This keeps usage, rate limits, and billing attributed to the org rather than whichever teammate happened to create the key.

Key format

Keys are issued branded as croma_<env>_…. For example, croma_live_… in production and croma_test_… elsewhere. The environment prefix tells you at a glance which deployment a key targets; never use a test key against production data or vice versa.

A key grants full API access for its organization. Store it as a secret (environment variable / secrets manager), never commit it, and rotate it if exposed.

Failed authentication

All auth failures return 401 with an authentication_error envelope:

`code`	When
`invalid_api_key`	Missing `Authorization` header, malformed key, or a revoked/expired key.
`personal_api_key_not_allowed`	A valid personal key was used instead of an organization key.

Next: Rate limits

How quotas are bucketed and surfaced in every response.

Documentation Index

​Bearer scheme

​Organization-scoped keys only

​Key format

​Failed authentication

Next: Rate limits

Bearer scheme

Organization-scoped keys only

Key format

Failed authentication