EU GPT logo
EU GPT

Public preview — This API is in public preview. Endpoints, schemas, and limits may change before general availability.

API

Authentication

Issuing, using, rotating, and revoking API keys.

Every request to /v1 must include an API key. Authentication uses the standard Authorization: Bearer … header.

The header#

POST /v1/responses HTTP/1.1
Host: chat.eugpt.ai
Authorization: Bearer eugpt_AbCdEf01234567890_redacted
Content-Type: application/json

API keys are always prefixed with eugpt_. The prefix is the easiest way to spot a leaked key in logs and scanners.

Issuing keys#

Keys are managed in the EU GPT web app:

  1. Sign in at the URL of the environment you want to call (production: chat.eugpt.ai).
  2. Open Settings → API Keys.
  3. Click Create key. Give it a descriptive name — the key list is what you will see when something breaks at 2 a.m.
  4. Copy the value. It is shown once. After you close the dialog the full key is gone — only the prefix remains visible.

A key is bound to:

  • The user that issued it. The key inherits that user’s organisation membership, projects, and license plan.
  • The environment that issued it. A staging key cannot call production; production keys cannot call staging or demo.

Rotating keys#

There is no built-in expiry. Rotate by:

  1. Issuing a new key in the web app.
  2. Deploying the new key into your application.
  3. Revoking the old key once you have confirmed the new one is working.

Plan rotations on a cadence that matches your security posture — quarterly is a reasonable default for most teams.

Revoking keys#

In Settings → API Keys, click Revoke on the row you want to disable. Revocation is immediate. Subsequent requests with that key will receive 401 Unauthorized within seconds.

Scoping#

API keys carry the same license plan as the user that issued them. That means:

  • Tool availability follows the plan — for example, advanced web search is gated on Individual Max and above.
  • Project membership is enforced: passing a project_id for a project you cannot access returns 403.

What about OAuth or OIDC?#

The web UI uses OIDC against Keycloak. The public /v1 API uses API keys only, by design — long-lived secrets are simpler for server-to-server integration, and key revocation is auditable in one place.

For end-user-driven applications that need per-user identity (e.g. a SaaS that sells access to its own customers), issue one API key per organisation and propagate end-user identity through your own application layer.

Common errors#

StatusWhat it meansFix
401Missing, malformed, or revoked key.Re-issue or check the Authorization header is being sent.
403Key is valid but the requested operation is not permitted (e.g. project not yours, plan does not allow it).Check project membership and license plan.
429Usage limit hit.Back off, retry later, or contact us.

The full error reference is in Errors.

PreviousGetting startedNextThe Responses API