Overview
All 9Pic API requests are authenticated with a long-lived API key sent in theX-API-Key header. Keys are scoped to one organisation and validated on every request, along with the calling host and the URL’s org_id / event_id.
Sending the API Key
Add theX-API-Key header to every request:
Creating an API Key
Open Developer Zone
Sign in to admin.9pic.ai and open the Developer Zone page from the left sidebar.
Create a new token
Click Create Token, then confirm in the dialog. The new key is generated server-side and added to your token list.
Each organisation can have up to 10 API tokens. You can deactivate or delete tokens at any time from the Developer Zone page.
Managing Tokens
From the Developer Zone page you can:- Activate / Deactivate a token using the toggle. Deactivated tokens are immediately rejected.
- Delete a token permanently. Any service using that token loses access on the next request.
What Gets Validated
Every API call is checked against three things:| Check | What it enforces |
|---|---|
| API key | The X-API-Key header is present, the token exists, and the token is active. |
| Org ownership | The org_id in the URL belongs to the organisation that owns the token. |
| Event ownership | For event-scoped routes, the event_id in the URL belongs to that organisation. |
| Host | The calling host is on the production allowlist (currently api.9pic.ai). |
403. See Errors for the full list of 403 causes.
Error Responses
| Status | Meaning |
|---|---|
401 | The X-API-Key header is missing. |
403 | The token is invalid, inactive, the URL identifiers do not belong to the org, or the host is not approved. |

