Authentication
ThumbAPI uses Bearer token authentication. Every request must include your API key in the Authorization header.
Getting Your API Key
- Sign up at thumbapi.dev
- Go to your dashboard → API Keys
- Copy your key (starts with
tb_live_)
The free tier gives you 3 generations per month. No credit card required.
Using Your Key
Include the key in every API request:
Authorization: Bearer tb_live_your_api_key_here
Example Request
curl -X POST https://api.thumbapi.dev/v1/generate \
-H "Authorization: Bearer tb_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{"title": "Test", "format": "youtube", "imageStyle": "faceless"}'
Security Best Practices
Never hardcode your API key. Use environment variables:
# .env
THUMBAPI_KEY=tb_live_abc123def456
// Node.js
const key = process.env.THUMBAPI_KEY;
# Python
import os
key = os.environ["THUMBAPI_KEY"]
Never expose your key in client-side code. ThumbAPI requests should only be made from your server or backend.
Rotate your key if you suspect it has been compromised. Generate a new key from the dashboard and update your environment variables.
Authentication Errors
| Status | Error | Cause |
|---|---|---|
401 | Missing authorization header | No Authorization header sent |
401 | Invalid API key | Key is wrong, expired, or revoked |
403 | API access not enabled | Your plan does not include API access |
Next Steps
- Quickstart — make your first request
- Rate limits — understand your usage limits
- Error codes — full error reference