Authentication & Security

To make sure your data stays yours, we require a secret key for every request you send to Antarctica. These keys are validated at the edge before the data even reaches our main servers, keeping things fast and secure.

The API Key Header

All data sent to https://otm-api.antarctica.io/ requires an X-API-Key header. Make sure you’re sending your requests over HTTPS (TLS 1.2+).

Key Format

Your API key follows a strict structure: otm_<environment>_<secret>.

environment: One of prod, qa, preview, or dev.
secret: Your unique high-entropy secret string.

Example: otm_prod_sk_7a1b2c3d4e5f6g7h8i9j0k

Here’s what a typical request header looks like:

POST /v1/telemetry/usage HTTP/1.1
Host: otm-api.antarctica.io
X-API-Key: otm_prod_sk_7a1b2c3d4e5f6g7h8i9j0k
Content-Type: application/json

Essential Headers

Header	Why it matters?	Required?
`X-API-Key`	Your secret API key from the dashboard.	Yes
`Content-Type`	Tells our servers to expect JSON. Must be `application/json`.	Yes
`Idempotency-Key`	A unique string (like a UUID) to prevent duplicate data if you have to retry a request.	Recommended

Security Best Practices

1. Write-Only Keys

The API keys you generate for the AI Module are write-only. This means that even if a key is accidentally exposed, an attacker can’t use it to read your logs or see your data, they can only send new data.

2. If Authentication Fails

If your key is missing or incorrect, you’ll get a 401 Unauthorized error. It’ll look something like this:

{
  "message": "Authentication failed",
  "errorType": "AuthError",
  "statusCode": 401
}

3. Revoking a Compromised Key

If you accidentally commit your API key to a public repo (we’ve all been there!), don’t panic. Head over to the AI Module Configurations in your dashboard and delete the key immediately. We’ll stop accepting requests from that key across our entire network in less than 2 seconds.

Setup Rate Limiting