Appearance
Authentication
All API requests use a workspace-scoped API key sent as the JSON field clientKey (matches the established CaptchaAI v1 convention) or in an Authorization: Bearer … header.
bash
curl -X POST https://api.captchaai.com/getBalance \
-H 'Content-Type: application/json' \
-d '{"clientKey":"cai_…"}'Creating keys
Sign in to the dashboard → API keys → Create. The raw key is shown once — store it immediately in your secret manager. Only the prefix is retained on our side; the rest is a SHA-256 hash.
Scopes
| Scope | Allowed |
|---|---|
full | Everything: createTask, getTaskResult, getBalance, reports |
read_only | getTaskResult, getBalance — never mutates |
Rotation
Keys never expire automatically; revoke them via the dashboard or the admin console. We recommend rotating every 90 days. The previous key keeps working until you click Revoke (no grace period after that).
Rate limits
Per workspace, per minute:
| Endpoint | Limit |
|---|---|
/createTask | 600 |
/getTaskResult | 6000 |
/getBalance | 60 |
The limit is not the only gate — your active-thread limit can reject createTask with ERROR_NO_SLOT_AVAILABLE long before you hit 600 rpm. See Threads.