What are Fikra API key prefixes?

Production keys begin with 'fk_live_'. Test keys begin with 'fk_test_'. Always use the appropriate key for your environment.

Is it safe to use Fikra API keys in client-side code?

No. Never expose your API keys in client-side code like vanilla JavaScript or mobile apps. Always route requests through your own secure backend server.

How do I authenticate requests to the Fikra API?

Q: How do I authenticate requests to the Fikra API?

Fikra API uses API keys for authentication. You must include your API key in the Authorization HTTP header as a Bearer token: Authorization: Bearer fk_live_YOUR_KEY.

Fikra API uses API keys to authenticate requests. You can view and manage your API keys in the Developer Dashboard. Every API request must include your API key in an HTTP header. Our proxy engine validates this token cryptographically before any data reaches the proprietary backend.

Implementing the Bearer Token

Authentication to the API is performed via standard HTTP Authorization headers. You must pass your secret key using the Bearer schema. All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

HTTP Header Format

Authorization: Bearer fk_live_XXXXXXXXXXXXXXXXXXXX

Language Implementations

Python (OpenAI SDK)

import os
from openai import OpenAI

# The SDK automatically handles the Bearer token injection
client = OpenAI(
    base_url="https://api.fikraapi.co.ke/v1",
    # Recommended: Load from environment variables
    api_key=os.environ.get("FIKRA_API_KEY") 
)

Node.js (OpenAI SDK)

import OpenAI from 'openai';

const client = new OpenAI({
  baseURL: 'https://api.fikraapi.co.ke/v1',
  apiKey: process.env.FIKRA_API_KEY
});

cURL

curl https://api.fikraapi.co.ke/v1/models \
  -H "Authorization: Bearer $FIKRA_API_KEY"

What are the Fikra API key prefixes?

Fikra API issues distinct prefixes for your keys so you can easily identify them in your environment variables and source code without exposing the full secret.

Key Prefix	Environment	Billing Impact
fk_live_	Production	Deducts tokens from your live M-Pesa funded balance.
fk_test_	Development / CI	Subject to sandbox limits; does not deduct real funds.

How do I keep my API keys secure?

Your API key carries the same privileges as a password. Because Fikra API operates on a pay-as-you-go model utilizing real funds, a compromised key can result in rapid unauthorized token consumption.

Critical Security Warning

Never expose your fk_live_ key in client-side code (e.g., front-end React apps, mobile iOS/Android apps, or embedded hardware). If malicious actors extract your key, they will drain your token balance.

Security Practice	Implementation Detail
Environment Variables	Store keys in `.env` files. Never commit these files to GitHub or public repositories. Add `.env` to your `.gitignore`.
Backend Routing	Create an intermediary backend server (using Express, FastAPI, or Django). Your front-end talks to your backend, and your backend securely holds the Fikra API key and forwards the inference request.
Key Rotation	If you suspect a leak, navigate to your Dashboard immediately, revoke the compromised key, and generate a new one.

How do I handle 401 Unauthorized errors?

If the API rejects your authentication attempt, our proxy server will immediately return an HTTP 401 Unauthorized error. Use this checklist to debug the issue.

Error Cause	Debugging Step
Missing Header	Verify your HTTP client is injecting the `Authorization` header in the request.
Malformed Header	Ensure there is exactly one space between the word `Bearer` and your API key.
Revoked Key	Check your Fikra API Dashboard. If the key was manually deleted or compromised, you must generate a new one.
Trailing Whitespace	Ensure your environment variable loader isn't accidentally including spaces or newline characters at the end of the key string.

Next Topic

API Endpoints →

Explore the /chat/completions payload requirements.

Reference

Model Registry →

Review latency and context window specifications.