Mira Docs

Authentication

The Mira API uses bearer-token authentication. Every request to a protected endpoint must carry a valid API key in the Authorization header.

Get a key

Sign in at platform.vmira.ai/api-keys and click Create key. Keys are shown only once at creation time — store them in a password manager or your CI/CD secret store immediately.

Key format

format
sk-mira-{40 hex characters}

Total length is 48 characters. The sk-mira-prefix is constant; anything that doesn't match it isn't a Mira key.

Sending the key

Pass the key in the HTTP Authorization header using the bearer scheme:

header
Authorization: Bearer sk-mira-...
bash
curl https://api.vmira.ai/v1/chat/completions \
  -H "Authorization: Bearer $MIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "mira",
    "messages": [{"role": "user", "content": "Hello"}]
  }'
python
from openai import OpenAI

client = OpenAI(
    api_key="sk-mira-...",
    base_url="https://api.vmira.ai/v1",
)
print(client.chat.completions.create(
    model="mira",
    messages=[{"role": "user", "content": "Hello"}],
).choices[0].message.content)

Environment variables

Recommended pattern: read the key from MIRA_API_KEY at startup and never commit it to source control.

shell
# Linux / macOS
export MIRA_API_KEY="sk-mira-..."

# Windows (PowerShell)
$env:MIRA_API_KEY = "sk-mira-..."

# .env file (Next.js, Vite, etc.) — add .env* to .gitignore
MIRA_API_KEY=sk-mira-...

Security best practices

  • Server-side onlyAPI keys must never appear in browser JavaScript, mobile bundles, or public repos. If you need browser access, proxy through your own backend.
  • Environment variablesKeep keys in environment variables (or your CI/CD secret store), not in source code.
  • Rotate periodicallyRotate keys on a schedule and whenever a teammate with access leaves the project.
  • Separate keys per envDedicated keys for dev, staging, and production make incident response far simpler.
  • Revoke immediately if leakedTreat any key that appears in a public commit, Slack message, or screen recording as compromised — revoke it and mint a replacement.
If you accidentally publish an API key (e.g. in a GitHub commit), assume it's been scraped. Revoke it from the dashboard and create a new one before doing anything else.

Next steps

Chat completions

Learn how to send your first request and consume the response.

Errors

HTTP status codes, error envelopes, and retry guidance.

Rate limits

Per-key throughput limits and how to back off when you hit them.

The Mira API uses API keys to authenticate requests. Every request to protected endpoints must include a valid API key in the Authorization header.

API key format

Mira API keys follow a fixed format: the prefix sk-mira- followed by 40 hexadecimal characters. The total key length is 48 characters.

Key format
sk-mira-{40 hex characters}

Example: sk-mira-a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2

Obtaining an API key

There are two ways to obtain a Mira API key:

  • Web dashboardSign in at platform.vmira.ai, navigate to the "API Keys" section, and click "Create key". The key is shown only once — store it in a secure location.
  • Mira Code CLIRun mira auth login in your terminal. The CLI uses the device code authorization flow to link the CLI to your account and automatically obtain a key.

Including the key in requests

Pass the API key in the HTTP Authorization header using the Bearer scheme:

Header
Authorization: Bearer sk-mira-YOUR_API_KEY

cURL

cURL
curl https://api.vmira.ai/v1/chat/completions \
  -H "Authorization: Bearer $MIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "mira",
    "messages": [{"role": "user", "content": "Hello"}]
  }'

Python

Python
import os
import requests

api_key = os.environ["MIRA_API_KEY"]

response = requests.post(
    "https://api.vmira.ai/v1/chat/completions",
    headers={
        "Authorization": f"Bearer {api_key}",
        "Content-Type": "application/json",
    },
    json={
        "model": "mira",
        "messages": [{"role": "user", "content": "Hello"}],
    },
)

print(response.json())

JavaScript

JavaScript (Node.js)
const apiKey = process.env.MIRA_API_KEY;

const response = await fetch("https://api.vmira.ai/v1/chat/completions", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${apiKey}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    model: "mira",
    messages: [{ role: "user", content: "Hello" }],
  }),
});

const data = await response.json();
console.log(data);

Environment variables

The recommended way to store your API key is the MIRA_API_KEY environment variable. This prevents accidental exposure in version control.

Setting the environment variable
# Linux / macOS
export MIRA_API_KEY="sk-mira-your-key-here"

# Windows (PowerShell)
$env:MIRA_API_KEY = "sk-mira-your-key-here"

# .env file (for frameworks like Next.js, Vite, etc.)
MIRA_API_KEY=sk-mira-your-key-here

Security best practices

  • Never embed keys in client-side codeAPI keys should only be used server-side. Browser JavaScript, mobile apps, and public repositories must never contain keys.
  • Use environment variablesStore keys in .env files that are listed in .gitignore, or in CI/CD secrets.
  • Rotate keys regularlyPeriodically generate new keys and revoke old ones via the dashboard at platform.vmira.ai.
  • Use separate keys per environmentCreate dedicated keys for development, staging, and production.
  • Revoke compromised keys immediatelyIf a key is exposed publicly, immediately revoke it in the dashboard and generate a replacement.
If you accidentally publish an API key (e.g., in a GitHub commit), treat it as compromised. Revoke it immediately and create a new one.

Device code flow

The Mira Code CLI uses the OAuth 2.0 device authorization flow to authenticate users. This allows the CLI to obtain an API key without requiring manual entry.

Step 1: Request a device code

POST /v1/auth/device/code
curl -X POST https://api.vmira.ai/v1/auth/device/code

Response:

JSON
{
  "device_code": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
  "user_code": "AB3D-7FGH",
  "verification_uri": "https://platform.vmira.ai/authorize",
  "expires_in": 600,
  "interval": 5
}

Step 2: User authorizes the device

The user opens the verification_uri in a browser and enters the user_code (format XXXX-XXXX) to confirm authorization.

Step 3: Poll for the token

POST /v1/auth/device/token
curl -X POST https://api.vmira.ai/v1/auth/device/token \
  -H "Content-Type: application/json" \
  -d '{"device_code": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"}'

The CLI polls this endpoint every interval seconds. Before authorization, status is "pending". After authorization, it returns the API key:

Pending
{"status": "pending"}
Success response
{
  "status": "approved",
  "access_token": "sk-mira-a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
  "token_type": "bearer",
  "expires_in": 2592000
}

Next steps

Endpoint reference

Every HTTP endpoint in one place

Chat completions

Learn how to make API requests

Rate limits

Understand limits and plan tiers