The Summarization API uses API Key authentication to control access. There are two ways to provide an API key:
- Environment Variables (
.env) – The API owner can setOPENAI_API_KEYandDEEPSEEK_API_KEYto allow authorized access without requiring clients to provide API keys. However this only works if the origin is a value inALLOWED_ORIGINS. - Request Headers – Clients can include an API key in the
Authorizationheader for each request.
When there is both a
.envkey and a request header key, the request header key will be used.
- 1. API Key Authentication (Recommended)
- 2. Allowed Origin Configuration
- 3. API Key Validation
- 4. Example: API Request without API Key (no Authorization Header)
- Next Steps
Clients can send their API key dynamically in the Authorization header:
curl -X POST http://localhost:3000/summarize/text \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "content": { "text": "This is a test." }, "options": {} }'Authorization: Bearer YOUR_API_KEY
The API restricts access to the default keys to specific frontend applications by defining ALLOWED_ORIGINS.
If an origin is not allowed, then the api key must be provided in the request headers.
ALLOWED_ORIGINS=http://localhost:3001,http://localhost:3000- If a frontend is listed in
ALLOWED_ORIGINS, it does not need to send API keys. - If a frontend is not listed in
ALLOWED_ORIGINS, it must include API keys in request headers.
The API uses a security guard (ApiKeyGuard) to verify API keys before processing requests.
| Scenario | What Happens? | Notes |
|---|---|---|
| Valid API Key in Request Header | ✅ Request is allowed | Does not require origin to be provided in ALLOWED_ORIGINS |
Valid API Key in .env but not in request |
✅ Request is allowed (uses .env key) |
Requires origin to be provided in ALLOWED_ORIGINS |
Valid API Key in .env and in request |
✅ Request is allowed (uses request api key) | ✅Even if the origin is provided in ALLOWED_ORIGINS, api key in the request will be used |
No API Key provided in request or .env |
❌ Request is rejected |
curl -X POST http://localhost:3000/summarize/text \
-H "Origin: http://localhost:3001" \
-H "Content-Type: application/json" \
-d '{ "content": { "text": "This is a test." }, "options": {} }'This will be valid only if the ALLOWED_ORIGINS contains http://localhost:3001.
- API Endpoints – Learn how to use the API
- Summarization Customization – Fine-tune summaries