Authentication
How to authenticate API requests
Overview
The Sora 2 Video API uses API keys for authentication. All API requests must include your API key in the Authorization header using the Bearer token format.
Getting an API Key
- Sign in to your account
- Navigate to Settings → API Keys
- Click "Create New Key"
- Enter a name for your key (e.g., "Production Server", "Development")
- Copy and save your API key immediately
Important
Your API key is only displayed once when created. If you lose it, you'll need to create a new key.
Using Your API Key
Include your API key in the Authorization header of every request:
Authorization: Bearer sk_your_api_key_hereExample Request
curl -X POST https://soravideo.art/api/v1/sora2/text-to-video \
-H "Authorization: Bearer sk_live_abc123xyz789" \
-H "Content-Type: application/json" \
-d '{"prompt": "A beautiful sunset over the ocean"}'API Key Format
API keys follow this format:
sk_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX- Prefix:
sk_(32 random characters follow) - Length: 35 characters total
- Visible prefix: Only the first 7 characters (
sk_xxxx) are shown in the dashboard
Security Best Practices
Never expose keys in client-side code
API keys should only be used in server-side code. Never include them in JavaScript that runs in the browser.
// ❌ Never do this in frontend code
const response = await fetch('/api/v1/sora2/text-to-video', {
headers: {
'Authorization': 'Bearer sk_live_abc123' // Exposed to users!
}
});// ✅ Use in server-side code (Node.js, Python, etc.)
// Or proxy through your own backend
const response = await fetch('https://api.example.com/generate', {
headers: {
'Authorization': `Bearer ${process.env.SORA_API_KEY}`
}
});Use environment variables
Store your API key in environment variables, not in code:
SORA_API_KEY=sk_live_your_api_key_hereconst apiKey = process.env.SORA_API_KEY;Rotate keys regularly
Periodically revoke old keys and create new ones:
- Create a new API key
- Update your applications to use the new key
- Verify everything works
- Revoke the old key
Monitor usage
Regularly check your API key usage in the dashboard to detect any unusual activity.
Managing API Keys
Viewing Keys
On the API Keys page, you can see:
- Key name and prefix
- Credit balance
- Status (active/revoked)
- Total requests made
- Last usage time
Revoking Keys
If you suspect a key has been compromised:
- Go to Settings → API Keys
- Find the key and click "Revoke"
- The key will immediately stop working
- Create a new key for your application
Deleting Keys
To permanently remove a key:
- Go to Settings → API Keys
- Find the key and click "Delete"
- Confirm the deletion
You can have up to 10 API keys per account. Delete unused keys to make room for new ones.
Authentication Errors
| Code | Message | Description |
|---|---|---|
| 1001 | Invalid API key | The API key is not valid or doesn't exist |
| 1002 | API key revoked | The key has been revoked |
| 1003 | Missing authorization | No Authorization header provided |
Error Response Example
{
"code": 1001,
"msg": "Invalid API key"
}