Skip to main content
All API requests must be authenticated using an API key. This guide covers how to get your key and use it securely.

Getting Your API Key

1

Log in to the Dashboard

Go to heliosai.health and log in to your account.
2

Navigate to API Keys

Click on API Keys in the left sidebar.
3

Create a New Key

Click Create New Key and give it a descriptive name (e.g., “Production API” or “Development API”).
4

Copy Your Key

Copy the key immediately - it won’t be shown again. Keys start with sk_live_.
Keep your API keys secure. Never expose them in client-side code, public repositories, or logs.

Using Your API Key

Include your API key in the x-api-key header with every request. The same API key works for all endpoints (/api/v1/agent and /api/v1/lab-results): 
curl -X POST https://api.heliosai.health/api/v1/agent \
  -H "Content-Type: application/json" \
  -H "x-api-key: sk_live_your_api_key_here" \
  -d '{ ... }'

Managing API Keys

From the Dashboard Settings page, you can:
ActionDescription
CreateGenerate new API keys with custom names
ViewSee when keys were created and last used
RevokeImmediately disable individual keys
Revoke AllEmergency disable all keys at once

Webhook Secret

Your webhook secret is used to verify that incoming webhooks are authentic. You can generate and manage it from the same Settings page:
ActionDescription
GenerateCreate a new webhook secret (shown once)
RegenerateReplace with a new secret (invalidates the old one)
Store your webhook secret securely in your server’s environment variables. See Webhooks for signature verification implementation.

Security Best Practices

Never hardcode API keys in your source code. Use environment variables:
# .env file (never commit this!)
HELIOS_API_KEY=sk_live_your_api_key_here

// Access in your code
const apiKey = process.env.HELIOS_API_KEY;
Create separate API keys for development, staging, and production. This allows you to:
  • Track usage per environment
  • Revoke compromised keys without affecting production
  • Set up different webhook URLs per environment
While not required, rotating API keys periodically is a security best practice:
  1. Create a new key
  2. Update your application to use the new key
  3. Verify the new key works
  4. Revoke the old key
Check the Last Used column in the Dashboard to monitor key activity. If you see unexpected usage patterns, consider rotating your keys.

Error Responses

If authentication fails, you’ll receive a 401 Unauthorized response: 
{
  "error": "Unauthorized",
  "message": "Invalid or missing API key"
}
Common causes:
  • Missing x-api-key header
  • Invalid or revoked API key
  • Key from a different account

Next Steps

Make Your First Call

Follow the quickstart guide to test your API key.

Set Up Webhooks

Configure secure webhook delivery for results.