Skip to main content
Every request to the Livepeer AI Gateway API requires a Bearer token. Obtain one from Livepeer Studio under Settings > API Keys. Two key types exist — choose based on where your code runs.

API key types

A backend key in client-side code is a critical security vulnerability. Use the correct type for the deployment context.

Using a backend API key

Pass the key as a Bearer token in the Authorization header: 
curl -X POST https://livepeer.studio/api/beta/generate/text-to-image \
  -H "Authorization: Bearer $LIVEPEER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a mountain at dawn", "model_id": "SG161222/RealVisXL_V4.0_Lightning"}'
In environment variables: 
# .env (never commit this file)
LIVEPEER_API_KEY=your-api-key-here

// Never hardcode -- always read from environment
const client = new Livepeer({ apiKey: process.env.LIVEPEER_API_KEY });

CORS-enabled keys for browser applications

When your frontend makes direct API calls, create a CORS-enabled key in Studio. The Studio dashboard scopes the key to specific asset or stream IDs — a leaked CORS key cannot access other resources in your account. Create in Studio: Settings > API Keys > Create Key > Enable CORS. 
// Safe to bundle in a React or Next.js frontend
const client = new Livepeer({
  apiKey: process.env.NEXT_PUBLIC_LIVEPEER_CORS_KEY, // CORS-enabled key
});
The NEXT_PUBLIC_ prefix makes the variable available client-side in Next.js. Do not use this prefix for backend API keys.

Key rotation

Rotate API keys on a schedule and immediately if a key is exposed. Studio lets you create multiple active keys and delete compromised ones without downtime. Recommended rotation schedule:
  • Production backend keys: every 90 days
  • After any team member offboarding
  • Immediately after any suspected exposure
Keep API keys out of version control. If a key appears in a commit, treat it as compromised and rotate immediately — git history is permanent and public repositories are indexed.

Authentication errors

A 401 Unauthorized response means the key is missing, malformed, or invalid: 
{"error": "Unauthorized", "message": "Invalid API key"}
Check:
  1. The Authorization header is present and formatted as Bearer <key> (not Bearer: <key>)
  2. The key value has no leading or trailing whitespace
  3. The key has not been deleted or expired in Studio
  4. You are using a backend key for a server-side request, not a CORS key

SDK Integration Guide

Full SDK setup with authentication patterns for TypeScript, Python, and Go.

Video Access Control

JWT and webhook-based access control for gating streams and assets.
Last modified on April 7, 2026