Authentication
The Mira API uses API keys to authenticate requests. Every request to protected endpoints must include a valid API key in the Authorization header.
API key format
Mira API keys follow a fixed format: the prefix sk-mira- followed by 40 hexadecimal characters. The total key length is 48 characters.
sk-mira-{40 hex characters}Example: sk-mira-a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Obtaining an API key
There are two ways to obtain a Mira API key:
- Web dashboard — Sign in at platform.vmira.ai, navigate to the "API Keys" section, and click "Create key". The key is shown only once — store it in a secure location.
- Mira Code CLI — Run mira auth login in your terminal. The CLI uses the device code authorization flow to link the CLI to your account and automatically obtain a key.
Including the key in requests
Pass the API key in the HTTP Authorization header using the Bearer scheme:
Authorization: Bearer sk-mira-YOUR_API_KEY
cURL
curl https://api.vmira.ai/v1/chat/completions \
-H "Authorization: Bearer $MIRA_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "mira",
"messages": [{"role": "user", "content": "Hello"}]
}'Python
import os
import requests
api_key = os.environ["MIRA_API_KEY"]
response = requests.post(
"https://api.vmira.ai/v1/chat/completions",
headers={
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json",
},
json={
"model": "mira",
"messages": [{"role": "user", "content": "Hello"}],
},
)
print(response.json())JavaScript
const apiKey = process.env.MIRA_API_KEY;
const response = await fetch("https://api.vmira.ai/v1/chat/completions", {
method: "POST",
headers: {
"Authorization": `Bearer ${apiKey}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
model: "mira",
messages: [{ role: "user", content: "Hello" }],
}),
});
const data = await response.json();
console.log(data);Environment variables
The recommended way to store your API key is the MIRA_API_KEY environment variable. This prevents accidental exposure in version control.
# Linux / macOS export MIRA_API_KEY="sk-mira-your-key-here" # Windows (PowerShell) $env:MIRA_API_KEY = "sk-mira-your-key-here" # .env file (for frameworks like Next.js, Vite, etc.) MIRA_API_KEY=sk-mira-your-key-here
Security best practices
- Never embed keys in client-side code — API keys should only be used server-side. Browser JavaScript, mobile apps, and public repositories must never contain keys.
- Use environment variables — Store keys in .env files that are listed in .gitignore, or in CI/CD secrets.
- Rotate keys regularly — Periodically generate new keys and revoke old ones via the dashboard at platform.vmira.ai.
- Use separate keys per environment — Create dedicated keys for development, staging, and production.
- Revoke compromised keys immediately — If a key is exposed publicly, immediately revoke it in the dashboard and generate a replacement.
Device code flow
The Mira Code CLI uses the OAuth 2.0 device authorization flow to authenticate users. This allows the CLI to obtain an API key without requiring manual entry.
Step 1: Request a device code
curl -X POST https://api.vmira.ai/api/v1/auth/device/code
Response:
{
"device_code": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
"user_code": "AB3D-7FGH",
"verification_uri": "https://platform.vmira.ai/authorize",
"expires_in": 600,
"interval": 5
}Step 2: User authorizes the device
The user opens the verification_uri in a browser and enters the user_code (format XXXX-XXXX) to confirm authorization.
Step 3: Poll for the token
curl -X POST https://api.vmira.ai/api/v1/auth/device/token \
-H "Content-Type: application/json" \
-d '{"device_code": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"}'The CLI polls this endpoint every interval seconds. Before authorization, status is "pending". After authorization, it returns the API key:
{"status": "pending"}{
"status": "approved",
"access_token": "sk-mira-a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
"token_type": "bearer",
"expires_in": 2592000
}