🔐

Authentication

Secure your API requests with API tokens

All requests to the Outharm API must be authenticated using Bearer tokens in the Authorization header. This reference covers the technical implementation of API authentication.

Security Note: Store tokens securely and never expose them in client-side code or public repositories.

Before using the API, you must generate API tokens through the Console. Each token is project-scoped and provides secure access to your moderation services. For detailed information on creating and managing tokens, see Projects & Tokens.

Authentication Method

Include your API token in the Authorization header of every request using the Bearer token format:

Authorization: Bearer your_api_token_here

Complete Request Example

POST https://api.outharm.com/moderation/automated
Authorization: Bearer your_api_token_here
Content-Type: application/json

{
  "schema_id": "550e8400-e29b-41d4-a716-446655440000",
  "content": [
    {
      "component": "title",
      "value": "Check this content for harmful material"
    }
  ]
}

Authentication Error Responses

When authentication fails, the API returns specific error codes to help you diagnose the issue:

Missing Token (401 Unauthorized)

When no Authorization header is provided:

{
  "name": "token-required",
  "message": "API token is required",
  "status_code": "401"
}

Invalid Token Format (400 Bad Request)

When the Authorization header format is incorrect:

{
  "name": "invalid-token-format",
  "message": "Invalid API token format",
  "status_code": "400"
}

Invalid or Revoked Token (401 Unauthorized)

When the token doesn't exist or has been revoked:

{
  "name": "invalid-token",
  "message": "API token not found or invalid",
  "status_code": "401"
}

Best Practices

✅ Environment Variables

Store API tokens in environment variables, not in your source code:

# .env
OUTHARM_API_TOKEN=your_api_token_here

# In your application
const token = process.env.OUTHARM_API_TOKEN;

✅ Error Handling

Always handle authentication errors gracefully and check for specific error names in responses.

❌ Client-Side Exposure

Never include API tokens in client-side JavaScript, mobile apps, or any publicly accessible code.

❌ Version Control

Never commit API tokens to version control systems. Use .gitignore for environment files.

Ready to Get Started?

Now that you understand API authentication, learn about token management or start making moderation requests.

Token Management

Learn about creating and managing tokens

Automated API

Start with automated moderation

Related Documentation