> ## Documentation Index
> Fetch the complete documentation index at: https://www.trybloom.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate requests to the Bloom API.

Every request to the Bloom API needs either a Bloom API key or a Bloom OAuth access token. API keys are simplest for server-side automations. OAuth is the right fit for app integrations where a user signs in with Bloom and grants access.

## API keys

Generate an API key from your [account settings](https://www.trybloom.ai/settings#api-keys) and treat it as a secret — rotate any that may have been exposed.

You can send the key in either of two headers; both accept the same key. If both headers are present, `x-api-key` wins.

### `x-api-key` header

```http theme={null}
x-api-key: bloom_sk_...
```

### `Authorization: Bearer` header

```http theme={null}
Authorization: Bearer bloom_sk_...
```

Use whichever fits your client. `x-api-key` is the most direct; `Authorization: Bearer` is useful when you're working with HTTP libraries that expect that shape (most SDKs, many low-code tools).

## OAuth access tokens

The REST API also accepts Bloom OAuth access tokens:

```http theme={null}
Authorization: Bearer <bloom_oauth_access_token>
```

OAuth tokens resolve to the same user identity as an API key. They have the same access to brands, images, credits, plan gates, and workspaces.

Bloom's OAuth endpoints are:

```text theme={null}
Issuer: https://www.trybloom.ai/api/auth
Dynamic client registration: https://www.trybloom.ai/api/auth/oauth2/register
Authorize: https://www.trybloom.ai/api/auth/oauth2/authorize
Token: https://www.trybloom.ai/api/auth/oauth2/token
API base: https://www.trybloom.ai/api/v1
```

Public clients should use Authorization Code with PKCE S256 and dynamic client registration:

```json theme={null}
{
  "token_endpoint_auth_method": "none",
  "type": "user-agent-based",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "redirect_uris": ["https://your-app.example/oauth/callback"]
}
```

For app integrations with public clients, do not use a `client_secret`. Register the exact callback URL for the current deploy and send that exact `redirect_uri` in the authorize request; wildcard redirect URIs are not supported.
