Authentication

Every request to the AquaMeter AI API must be authenticated with an API key passed as a Bearer token.

Bearer token

Include your API key in the Authorization header of every request. The value must be the word Bearer followed by a single space and your key.

Header
Authorization: Bearer aqm_live_YOUR_API_KEY
curl
curl -X POST https://www.aquameter.site/api/meter-reading \
  -H "Authorization: Bearer aqm_live_YOUR_API_KEY" \
  -F "image=@meter.jpg"

Token format

All API keys are prefixed with aqm_live_ followed by 32 random hexadecimal characters. You can use the prefix to identify AquaMeter keys in your secrets manager.

Example key (not real)

aqm_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

Generating API keys

1

Go to API Keys in your dashboard.

2

Click "Create API Key", enter a project name, and set the initial status.

3

Copy the full key immediately — it is shown only once after creation.

4

Store the key securely (environment variable, secrets manager).

Go to API Keys →

Authentication errors

All authentication failures return 422 with an errors.authorization field. See Errors for the full envelope.

StatusCauseFix
422No Authorization headerAdd the Authorization: Bearer <key> header
422Malformed header (missing Bearer)Ensure the format is exactly Bearer <space> <key>
422Key not found or deletedRegenerate a key from the dashboard
422Key is inactiveEnable the key from the API Keys page
JSON — example error body
{
  "errors": {
    "authorization": ["Invalid or inactive API key"]
  }
}

Security best practices

Never hard-code a key in source code or commit it to a repository.
Store keys in environment variables or a secrets manager (e.g. AWS Secrets Manager, Doppler).
Use separate keys per environment (development, staging, production).
Rotate keys immediately if you suspect they have been leaked.
Delete keys that are no longer in use.
OverviewEndpoint