Authentication

OpenApp SDKs authenticate with API keys in the encoded form described in API keys. The token embeds the API base URL; each SDK parses it and configures HTTP unless you override the base URL where the binding supports it.

For Python-only topics (rotation snippets, repr privacy), see Python — Authentication.

Obtain a key

Sign in to the OpenApp dashboard.
Open Resources → API Keys.
Create a key, set expiry, and copy the token once.

Creating keys requires the api_keys:create role in the target organization.

Construct the client

Pass the full token string (including the https://…/api/v1_openapp_… prefix).

from openapp_sdk import Client

client = Client.connect(
    api_key="https://api.openapp.house/api/v1_openapp_YOUR_SECRET",
)

import { AsyncClient } from "@tomers/openapp-sdk";

const client = new AsyncClient(
  "https://api.openapp.house/api/v1_openapp_YOUR_SECRET",
);

use openapp_sdk::Client;

let client = Client::builder()
    .api_key("https://api.openapp.house/api/v1_openapp_YOUR_SECRET")
    .build()?;

import openapiclient "github.com/tomers/openapp-sdk/go"

client, err := openapiclient.NewAPIClient(
    "https://api.openapp.house/api/v1_openapp_YOUR_SECRET",
)
if err != nil {
    return err
}
defer func() { _ = client.Close() }()

Go: NewAPIClient uses CGO and the core C bridge; call Close when finished so native runtime handles are released.

Rust / TypeScript: Prefer one long-lived client per process and reuse it (clone in Rust; keep a single AsyncClient in Node).

Override the base URL

Use this when the token’s embedded host does not match the server you need (staging, proxy, or on‑prem).

client = Client.connect(
    api_key="https://api.openapp.house/api/v1_openapp_YOUR_SECRET",
    base_url="https://staging.example.com/api/v1",
)

use openapp_sdk::Client;

let client = Client::builder()
    .api_key("https://api.openapp.house/api/v1_openapp_YOUR_SECRET")
    .base_url("https://staging.example.com/api/v1")?
    .build()?;

The Go client follows the same rule as TypeScript: NewAPIClient takes only the key; the service URL is derived from the token. Point your key at the right environment or layer a proxy that preserves paths.

Environment variables

None of the SDKs read OPENAPP_API_KEY (or similar) by default — configure explicitly or wrap yourself:

import os
from openapp_sdk import Client

def client_from_env() -> Client:
    return Client.connect(api_key=os.environ["OPENAPP_API_KEY"])

import { AsyncClient } from "@tomers/openapp-sdk";

function clientFromEnv(): AsyncClient {
  const apiKey = process.env.OPENAPP_API_KEY;
  if (!apiKey) throw new Error("OPENAPP_API_KEY is not set");
  return new AsyncClient(apiKey);
}

use openapp_sdk::Client;

fn client_from_env() -> Result<Client, openapp_sdk::SdkError> {
    let key = std::env::var("OPENAPP_API_KEY")
        .map_err(|e| openapp_sdk::SdkError::Config(format!("OPENAPP_API_KEY: {e}")))?;
    Client::builder().api_key(key).build()
}

import (
    "fmt"
    "os"

    openapiclient "github.com/tomers/openapp-sdk/go"
)

func ClientFromEnv() (*openapiclient.APIClient, error) {
    key := os.Getenv("OPENAPP_API_KEY")
    if key == "" {
        return nil, fmt.Errorf("OPENAPP_API_KEY is not set")
    }
    return openapiclient.NewAPIClient(key)
}

Key lifecycle over the wire is documented in the API reference under API Keys — for example POST /api-keys, revoke, restore, and purge. Language surfaces differ (client.api_keys in Python, APIKeysAPI in Go, etc.); map tags from the OpenAPI document to your SDK.

Browser sessions (Kratos) — introspection (GET /auth/whoami, GET /auth/session, …) and cookie logout are under the Auth tag; see Auth (browser session).

Troubleshooting

Symptom	Likely cause
Invalid token format	Missing `_openapp_` separator — copy the full dashboard token.
Cannot derive base URL	Malformed URL prefix; set `base_url` explicitly (Python / Rust) or mint a key for that host.
401 Unauthorized	Revoked or expired key, wrong org, or wrong backend.