Authentication
Two ways to authenticate: an API key when you're paying for usage, or an OAuth token when your end-user is. Both are bearer tokens. The rest of this page is which one to use, how to mint it, and the SDK setup that trips people up.
01 Sign up and welcome credits
Register with an email and password. New accounts land with 1,000,000 credits ($1.00) in their balance — enough to round-trip a few thousand low-cost completions before you ever need a card on file.
curl -X POST https://api.usequota.ai/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "your-secure-password"
}'Balance is denominated in credits. 1,000,000 credits = $1.00 — six decimal places of precision so streaming responses bill exactly what they consumed. Email needs an @; password needs at least 8 characters. Register is rate-limited to 3 requests/minute, login to 5/minute.
The session_token (sess_…) is what you use to manage your account from the API — minting keys, registering OAuth clients, fetching usage. It expires after 24 hours. For long-lived server-to-server access, use an API key (next section).
02 API keys
API keys authenticate server-to-server requests. The key value is shown once, at creation — Quota stores only a hash, so if you lose it you mint a new one and revoke the old.
Mint a key
Requires a session token. Pass billing_mode to set who pays: developer (you) or user (the end-user whose OAuth access token is passed as the bearer at request time).
curl -X POST https://api.usequota.ai/developers/keys \
-H "Authorization: Bearer sess_..." \
-H "Content-Type: application/json" \
-d '{"name": "production-server", "billing_mode": "developer"}'Send it
Either Authorization: Bearer or X-API-Key — whichever fits your stack. They're equivalent.
curl https://api.usequota.ai/v1/balance \
-H "Authorization: Bearer sk-quota-..."Manage and rotate
List with GET /developers/keys (returns metadata only — secrets are never re-exposed). Revoke with DELETE /developers/keys/:id. Rotation is a two-step: mint the new key, deploy it, then delete the old one. Both keys are valid in the overlap window.
03 Token types
Quota issues three bearer-token shapes. Each one tells the server who is calling and whose wallet to bill.
| sk-quota-…API key | Server-to-server developer key. Bills the developer's account. |
| sess_…session token | Browser/CLI session, returned by /auth/register and /auth/login. Use it for account-management endpoints (/developers/*, /account). Expires after 24 hours. |
| quota_token_…OAuth access token | End-user access token issued by /oauth/token. Bills the user's wallet directly. Refresh with the paired quota_refresh_… token before it expires. |
The prefixes are stable and unique enough to grep your codebase or logs for an accidental leak. sk-quota- matches OpenAI's sk- convention so secret-scanning tools recognize it.
04 SDK base URL setup
Quota is OpenAI-compatible. Point an existing OpenAI or Anthropic SDK at our base URL and your code keeps working — including streaming, tool calls, and structured outputs. The base URL is per-SDK: OpenAI's expects the /v1 suffix, Anthropic's adds it for you.
import OpenAI from "openai";
const client = new OpenAI({
baseURL: "https://api.usequota.ai/v1",
apiKey: process.env.QUOTA_API_KEY,
});
const response = await client.chat.completions.create({
model: "gpt-4o-mini",
messages: [{ role: "user", content: "Hello" }],
});05 Rate limits
The default is 100 requests/minute per API key. This is a soft cap — it's the out-of-the-box limit, not a hard ceiling. If you need more, ask and we'll lift it. Auth endpoints (/auth/register, /auth/login) and funding endpoints have stricter, separate limits.
Every response carries the current state of your window in headers, so you don't have to track it yourself.
| X-RateLimit-Limitinteger | Maximum requests allowed in the current window. |
| X-RateLimit-Remaininginteger | Requests remaining in the current window. |
| X-RateLimit-Resetunix timestamp | When the window resets, in seconds since epoch. |
Exceed the limit and the request returns 429 rate_limit_exceeded. Read X-RateLimit-Reset to know when to retry; bursting through a 429 won't make it return faster.
06 OAuth, briefly
Use OAuth when your end-users should pay from their own Quota balance instead of yours. The flow is standard: register a client, redirect the user to /oauth/authorize, exchange the returned code at /oauth/token, then send the resulting quota_token_… as the bearer on chat-completion requests.
Quota uses standard OAuth 2.0 with PKCE — the SDKs handle this transparently.
curl -X POST https://api.usequota.ai/developers/apps \
-H "Authorization: Bearer sess_..." \
-H "Content-Type: application/json" \
-d '{
"name": "My App",
"redirect_uris": ["https://myapp.com/callback"]
}'OAuth clients receive quota_client_… / quota_secret_… credentials. The secret is shown once, the same way an API key is. Redirect URIs must be HTTPS in production; http://localhost:* and http://127.0.0.1:* are allowed for development. No wildcards.