Authorization
The Get Started page covers how to mint an API key. This page covers how to pass it to a request.
Bearer scheme
All REST endpoints use the standard Authorization: Bearer <key> header.
GET /user/hello HTTP/1.1
Host: api.remoet.dev
Authorization: Bearer your_api_key_herecURL:
curl -H "Authorization: Bearer your_api_key_here" https://api.remoet.dev/user/helloJavaScript fetch:
const res = await fetch("https://api.remoet.dev/user/hello", {
headers: { Authorization: `Bearer ${process.env.REMOET_API_KEY}` },
});What a bad key returns
The exact 401 body depends on what’s wrong with the request:
// Authorization header is missing entirely
{ "statusCode": 401, "message": "Unauthorized" }
// Header is present but the key isn't recognised
{ "statusCode": 401, "message": "Invalid API Key", "error": "Unauthorized" }
// Key is recognised but expired (revoked or aged out)
{ "statusCode": 401, "message": "API Key Expired", "error": "Unauthorized" }If you want to distinguish “missing header” from “bad key” in your client, key off the message field. See Errors for the full error catalog.
Keeping the key safe
Treat the key like a password. Never ship it to the browser — use it from server-side code, or from .env files that aren’t committed. If a key leaks, revoke it from www.remoet.dev/api-keys and generate a new one.
Rate limits
There are two layers:
- Burst: 60 requests per minute per endpoint (30/min for
/user/full). - Daily quota: tier-based — see Get Started.
Both layers return 429 Too Many Requests on exhaustion. The body distinguishes them — see Errors.
MCP
The MCP server uses the same key over the Authorization: Bearer <key> header or via an OAuth flow (Claude Web’s custom connector). See MCP.