AT
Auto Toon DocsAuthentication
Learn how to authenticate your requests to the Auto Toon API.
API Key Authentication
All API requests require authentication via the x-api-key header. Keys follow the format:
text
toon_[prefix]_[random]Total length is approximately 54 characters. The prefix is used for identification without exposing the full key.
Keys are hashed using Argon2 before being stored, so the full key cannot be retrieved after creation. You can generate and manage keys from the Developer Dashboard.
Getting an API Key
- Sign up at auto-toon.com
- Subscribe to a plan (Starter: up to 4 keys, Pro: up to 10 keys)
- Go to the Developer Dashboard
- Click "Generate API Key"
- Copy and store the key securely — it is shown only once
Your API key is displayed only at the time of creation. If you lose it, you will need to generate a new one and revoke the old key.
API Key Management Endpoints
POST
/api/keysGenerate a new API key.
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | Optional | A friendly label for the key (e.g. "My Integration") |
Example Request
json
{
"name": "My Integration"
}Response
json
{
"id": "clx1abc...",
"key": "toon_xx_abc123...",
"name": "My Integration",
"prefix": "xx",
"createdAt": "2026-04-01T12:00:00.000Z"
}The full
key value is only returned once at creation. Store it immediately.GET
/api/keysList all API keys associated with your account.
Response
json
{
"keys": [
{
"id": "clx1abc...",
"name": "My Integration",
"prefix": "xx",
"lastUsedAt": "2026-04-01T15:30:00.000Z",
"createdAt": "2026-04-01T12:00:00.000Z"
}
]
}DELETE
/api/keys/[id]Revoke an API key. This action is irreversible.
Response
json
{
"success": true
}Example Request
Here is a complete example using curl to call the enhance-product endpoint with an API key:
bash
curl -X POST https://auto-toon.com/api/enhance-product \
-H "Content-Type: application/json" \
-H "x-api-key: toon_xx_your_api_key_here" \
-d '{"imageUrl": "...", "productName": "..."}'Security Best Practices
Never expose your API keys in client-side code, public repositories, or anywhere accessible to end users. Treat your API key like a password.
- Use environment variables — Store keys in
.envfiles or your platform's secret manager, never hard-coded in source. - Rotate keys periodically — Generate new keys and revoke old ones on a regular schedule to limit exposure.
- Revoke unused keys — Delete any keys that are no longer in use from the Developer Dashboard.
- Server-side only — API calls should always be made from your backend. Never call the Auto Toon API directly from a browser.