Skip to main content
Reactor uses API keys to authenticate requests. JavaScript apps exchange the key for a short-lived token; Python apps pass the key directly.

Get your API key

1

Create an account

Sign up at reactor.inc.
2

Create an API key

Open the Dashboard, click your user icon, then navigate to API Keys to create a new key.
3

Copy your key

Your key starts with rk_. Store it securely and never commit it to source control.

JavaScript

How it works

Your server exchanges the API key for a short-lived token, which the browser uses to connect. Tokens are valid for up to 6 hours by default, or shorter if you set expires_after. If a token leaks, it expires on its own and the blast radius is limited to that token’s validity window.
Server exchanges API key for a token, passes token to browser, browser connects to Reactor

Generate a token

Exchange your API key for a short-lived token by making a POST request to the /tokens endpoint with your API key in the Reactor-API-Key header:
Default (6-hour expiry)
const result = await fetch("https://api.reactor.inc/tokens", {
  method: "POST",
  headers: { "Reactor-API-Key": process.env.REACTOR_API_KEY },
});
const { jwt, expires_at } = await result.json();
Custom expiry
const result = await fetch("https://api.reactor.inc/tokens", {
  method: "POST",
  headers: {
    "Reactor-API-Key": process.env.REACTOR_API_KEY,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ expires_after: Number(process.env.TOKEN_LIFETIME_SECONDS) }),
});
const { jwt, expires_at } = await result.json();
Tokens live for at most 6 hours. Omit expires_after to get the full 6 hours; pass it (in seconds) to shorten the lifetime. Values at or above the ceiling are silently clamped.The server still returns 200, so always check expires_at (a Unix epoch timestamp) on the response to confirm the actual expiry.
Don’t store your API key in client-side code. Use your server as a proxy to generate short-lived tokens, as shown below.

Server-side proxy

Set up an API route on your server that calls the /tokens endpoint and returns the token to your frontend:
import { NextResponse } from "next/server";

export async function POST() {
  const result = await fetch("https://api.reactor.inc/tokens", {
    method: "POST",
    headers: { "Reactor-API-Key": process.env.REACTOR_API_KEY! },
  });
  const { jwt } = await result.json();

  return NextResponse.json({ jwt });
}
app.post("/api/token", async (_req, res) => {
  const result = await fetch("https://api.reactor.inc/tokens", {
    method: "POST",
    headers: { "Reactor-API-Key": process.env.REACTOR_API_KEY! },
  });
  const { jwt } = await result.json();

  res.json({ jwt });
});
Then fetch the token from your frontend and pass it to the SDK:
app/page.tsx
"use client";

import { use } from "react";
import { ReactorProvider, ReactorView } from "@reactor-team/js-sdk";

async function getToken() {
  const result = await fetch("/api/token", { method: "POST" });
  const { jwt } = await result.json();
  return jwt;
}

const tokenPromise = getToken();

export default function App() {
  const token = use(tokenPromise);
  return (
    <ReactorProvider modelName="your-model-name" jwtToken={token}>
      <ReactorView className="w-full aspect-video" />
    </ReactorProvider>
  );
}
If your API key is compromised, rotate it immediately from the Dashboard. Rotating does not affect active sessions. Need help? Join us on Discord.
Adopting an existing session. If your backend creates a session and hands the sessionId to a client, the token that client connects with must belong to the same account that owns the session. Mint it through the same /tokens flow. See Sessions.