SALZ
Sign Up

Bearer Token Authentication

How to use bearer tokens in SALZ API requests -- Authorization header format, token validation, and error handling.

SALZ uses the Bearer authentication scheme defined in RFC 6750. Your API key is sent as a bearer token in the Authorization header of every request.

Header Format

The Authorization header must follow this exact format:

Authorization: Bearer YOUR_API_KEY

Note the single space between Bearer and the key. The scheme name Bearer is case-sensitive.

Complete Request Example

curl -X POST https://add-salz.io/api/v1/optimize \
  -H "Authorization: Bearer salz_k_a1b2c3d4e5f6g7h8i9j0..." \
  -H "Content-Type: application/json" \
  -d '{"text": "Text to optimize"}'

In JavaScript:

const response = await fetch('https://add-salz.io/api/v1/optimize', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ text: 'Text to optimize' }),
});

In Python:

response = requests.post(
    "https://add-salz.io/api/v1/optimize",
    headers={"Authorization": f"Bearer {api_key}"},
    json={"text": "Text to optimize"},
)

Token Validation

When SALZ receives a request, it validates the bearer token by checking:

  1. Presence -- The Authorization header exists and contains a Bearer token.
  2. Format -- The token matches the expected API key format.
  3. Validity -- The key exists in the database and has not been revoked.
  4. Account status -- The account associated with the key is active.

All of this happens before your text is processed.

Error Responses

Missing Authorization Header

If the header is not included:

{
  "error": "Missing Authorization header",
  "success": false
}

HTTP Status: 401 Unauthorized

Invalid Token

If the token is malformed or does not match any key:

{
  "error": "Invalid or missing API key",
  "success": false
}

HTTP Status: 401 Unauthorized

Revoked Key

If the key has been revoked in the dashboard:

{
  "error": "Invalid or missing API key",
  "success": false
}

HTTP Status: 401 Unauthorized

The error message is intentionally the same for invalid and revoked keys to prevent attackers from distinguishing between the two.

Common Mistakes

  • Missing the Bearer prefix. Sending just the API key without Bearer in front of it will fail.
  • Extra whitespace. Trailing spaces or newlines in the key string cause authentication failures. Trim your environment variables.
  • Using the key in query parameters. SALZ only accepts authentication via the Authorization header, never in URL parameters.
  • Client-side exposure. Never include your API key in browser-side JavaScript. Always call the SALZ API from your server.

Handling Auth Errors in Code

const response = await fetch('https://add-salz.io/api/v1/optimize', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.SALZ_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ text }),
});

if (response.status === 401) {
  throw new Error('SALZ API key is invalid or missing. Check your SALZ_API_KEY environment variable.');
}