Skip to content

Authentication

All API requests use a workspace-scoped API key sent as the JSON field clientKey (matches the established CaptchaAI v1 convention) or in an Authorization: Bearer … header.

bash
curl -X POST https://api.captchaai.com/getBalance \
  -H 'Content-Type: application/json' \
  -d '{"clientKey":"cai_…"}'

Creating keys

Sign in to the dashboardAPI keysCreate. The raw key is shown once — store it immediately in your secret manager. Only the prefix is retained on our side; the rest is a SHA-256 hash.

Scopes

ScopeAllowed
fullEverything: createTask, getTaskResult, getBalance, reports
read_onlygetTaskResult, getBalance — never mutates

Rotation

Keys never expire automatically; revoke them via the dashboard or the admin console. We recommend rotating every 90 days. The previous key keeps working until you click Revoke (no grace period after that).

Rate limits

Per workspace, per minute:

EndpointLimit
/createTask600
/getTaskResult6000
/getBalance60

The limit is not the only gate — your active-thread limit can reject createTask with ERROR_NO_SLOT_AVAILABLE long before you hit 600 rpm. See Threads.

CaptchaAI · phase 1 docs