Avtrzdocs
Console
OverviewQuickstartAuthenticationHow it worksGet avatar
Docs/Getting started/Authentication

Authentication

Two key types. Publishable keys live in your frontend. Secret keys live on your server. Both lock to the domains you allow-list in the console. Both rotate without dropping traffic.

Domain allow-listSent via x-api-key

Key types

Publishable keys

Prefix pk_. Safe to ship in an <img> tag. Bound to the domains you allow-list in the key's settings. Can only call the avatar endpoint, never billing or workspace settings.

Secret keys

Prefix sk_. Server only. Sent via the x-api-key header (not as a Bearer token). Use for backend prefetching, batch enrichment, or any flow where you don't want the key in the browser.

Never ship a secret key to the browser.
Secret keys can read your workspace usage. If one ever lands in a frontend bundle, revoke it in the console and audit your traffic. Publishable keys exist exactly so you don't have to.

Using a publishable key

Pass the publishable key as the key query param. The browser is the caller. Lock the key to your domains in Console → API Keys → Allowed domains so nobody else can hot-link your quota.

HTMLBrowser-safe — the 95% case
<img src="https://avtrz.dev/v1/avatar?key=pk_live_7f3e21bc94aa&linkedin_url=linkedin.com/in/alex-rivera&size=128" alt="" />
302 → image/webp · cache-control: public, max-age=86400

Using a secret key

For server-side fetches (populating a database column, prefetching a list, or wiring an agent), use a secret key via the x-api-key header. The endpoint still returns a 302; either follow it or hand the Location URL to your client.

Node
const res = await fetch(
  "https://avtrz.dev/v1/avatar?linkedin_url=linkedin.com/in/alex-rivera&size=256",
  {
    headers: { "x-api-key": process.env.AVTRZ_SECRET! },
    redirect: "manual",
  }
);
// 302 with Location → CDN URL. Either follow it or pass it to the browser.
const cdnUrl = res.headers.get("location");
302 Found · Location: CDN URL · 1 request billed

Rotating keys safely

Keys are independent: creating a new one doesn't affect the old one. Roll deploys at your own pace, then revoke the old key when you're done. There is no maintenance window.

  1. Create a new key of the same type. The old one keeps working.
  2. Deploy the new key to your environments. Watch the usage chart switch over.
  3. Revoke the old key once 100% of traffic is on the new one.

Authentication errors

Auth errors return 401 on the JSON body. The image endpoint serves an SVG fallback so a broken key never breaks your UI.

NameTypeDescription
401 missing_keyauthOptionalNo x-api-key header or ?key= query param. Common during a deploy where env vars haven't propagated.
401 invalid_keyauthOptionalThe key isn't recognized, is disabled, or has been revoked.
403 domain_blockedauthOptionalA publishable key was used from a domain not on its allow-list. Update Allowed domains in the key's settings.
403 plan_limitbillingOptionalYou're over your monthly request quota. Cached redirects keep serving; new lookups stop.
Previous
Quickstart