Skip to main content
OneInbox has two kinds of keys. Which one you use depends on where your code runs — that distinction is the whole reason both exist.
KeyStarts withRuns whereCan do
API keyoi_sk_Your server (backend)Everything — create agents, make calls, read data
Publishable keyoi_pk_The browser (frontend)Only start a call — nothing else
Use your API key for everything in this section. For the publishable key, see Web SDK — it’s created differently and used only to let website visitors start a call directly from your site.

API key — full access, server only

Your API key is the master credential for your OneInbox account. Anything this documentation shows you — creating agents, making calls, managing tools, reading call records, billing, everything — goes through this key.
  • Format: oi_sk_...
  • Lives: in your backend’s environment variables / secrets manager — never in code you ship to a browser or app
  • Scope: unrestricted. Whoever holds it has the same access you do
  • If it leaks: revoke it immediately from the dashboard and issue a new one. A leaked API key is equivalent to a leaked account password — treat it that way
Because it’s this powerful, the API key is never meant to leave your server. That’s the entire reason the publishable key exists — to give frontend code a way to trigger calls without ever having access to a credential this strong.

Publishable key — limited access, safe for browsers

A publishable key is designed to be safe for use in frontend code. It can be pasted directly into website code that anyone can view in their browser’s dev tools.
  • Format: oi_pk_...
  • Lives: directly in your frontend code (e.g. with the Web SDK) — this is the intended, safe place for it
  • Scope: can only do one thing — start a call. It cannot read your data, list your agents, see call history, or change any account settings
  • Domain-locked: when you create one in the dashboard, you register the origins (domains) it’s allowed to be used from — e.g. https://yoursite.com. A request from any other origin is rejected with 403 ORIGIN_NOT_ALLOWED, even with a valid key
  • If it leaks: low risk by design — it can only start calls on agents you’ve configured, and only from your registered domains. You can still revoke and rotate it from the dashboard if you want to be safe
This is what makes the Web SDK possible: a website visitor’s browser needs some credential to start a call, but it can never be trusted with your full API key. The publishable key solves that — full functionality for its one job, zero exposure for everything else.

Why two keys instead of one

A single backend you control can safely hold a powerful, unrestricted key — only your own server code ever touches it. A browser is different: anything you ship to it is visible to whoever opens dev tools, so any key embedded there is effectively public. Rather than force you to proxy every call request through your own server, OneInbox gives you a second key type that’s safe to be public — scoped down to exactly the one capability a browser legitimately needs, and locked to the domains you control.
API keyPublishable key
Trust modelSecret — protect like a passwordPublic — safe to expose
Who/what uses itYour serverVisitors’ browsers
CapabilitiesFull account accessStart a call only
Restricted byNothing (full scope)Registered origins (domains)
Where to createDashboard → API KeysDashboard → Publishable Keys
If exposedRevoke immediately — full account compromiseLow risk — already designed to be public, but you can still rotate it

Get your API key

  1. Sign up or log in at the OneInbox dashboard
  2. Open API Keys
  3. Click Create API key, give it a name, and copy the key
You can view and manage keys anytime from the dashboard — create new keys or revoke old ones as needed.
Never put your API key in frontend code — anyone who finds it gets full access to your account. If you need to trigger calls from a browser, use a publishable key instead (see Web SDK).

How to send it

Add this header to every request:
Authorization: Bearer <api_key>
Example:
curl https://api.oneinbox.ai/v1/agents \
  -H "Authorization: Bearer <api_key>"

Check usage

Retrieve usage summary for your account — credits consumed, call counts, and billing period.
curl https://api.oneinbox.ai/v1/usage \
  -H "Authorization: Bearer <api_key>"

Quick reference

ActionWhere
Create or revoke API keysDashboardAPI Keys
Create or revoke publishable keysDashboardPublishable Keys
Call agents, models, calls, etc. (server)Authorization: Bearer <api_key> on every request
Start a call from a website (browser)Publishable key with the Web SDK
Full walkthrough → Quickstart