API Authentication
Every request to the GPTfake API must be authenticated. The API supports two mechanisms: API keys (a bearer token, for server-side and research use) and OAuth 2.0 (for applications acting on behalf of other users). All traffic is HTTPS-only.
Bearer token
Pass your API key in the Authorization header on every request:
curl https://api.gptfake.com/v1/monitoring/chatgpt/metrics \
-H "Authorization: Bearer YOUR_API_KEY"A missing or malformed token returns 401 Unauthorized. A valid token that lacks the scope for a resource returns 403 Forbidden.
Which method should I use?
| Use case | Method |
|---|---|
| Server-side scripts, research pipelines, dashboards | API key |
| A third-party app accessing data for its users | OAuth 2.0 |
Quick one-off curl / notebook exploration | API key |
Security basics
Treat API keys like passwords. Never commit them to source control, embed them in client-side code, or paste them into shared notebooks. Use environment variables and rotate keys regularly.
- Send credentials only over HTTPS — the API rejects plain HTTP.
- Scope keys to the minimum tier and permissions you need.
- Rotate keys on a schedule and immediately if one is exposed.
Next steps
- Create and manage API keys
- Set up OAuth 2.0
- Back to the API overview
GPTfake