Quick Fix
Check for extra spaces or line breaks in your API key. Ensure you're using the correct header format for your provider.
Common Authentication Errors
Authentication errors are well-documented across providers. See OpenAI's error codes,Anthropic's error handling, andGoogle's Vertex AI error codes for provider-specific details.
401 Unauthorized
Invalid, missing, or expired API key. The server cannot authenticate your request.
"Invalid API key provided"403 Forbidden
Valid key but insufficient permissions. You're authenticated but not authorized.
"Permission denied for resource"402 Payment Required
Valid authentication but insufficient credits or payment issues.
"Insufficient credits"Invalid Format
API key doesn't match expected format or contains invalid characters.
"Malformed API key"API Key Formats by Provider
Each provider has specific key formats and requirements. Refer to official documentation:OpenAI API Reference,Anthropic API Reference, and Cohere API Reference.
| Provider | Key Format | Header | Example |
|---|---|---|---|
| OpenAI | sk-... (48 chars) | Authorization | Bearer sk-abc123... |
| Anthropic | sk-ant-... | x-api-key | sk-ant-api03... |
| API key or Service Account | X-API-Key | AIzaSy... | |
| Azure OpenAI | Deployment key | api-key | 32 character hex |
| AWS Bedrock | IAM credentials | AWS Signature v4 | Access Key + Secret |
Quick Fixes
Authentication Checklist
- Remove any whitespace or line breaks from your API key
- Verify you're using the correct header name for your provider
- Check if "Bearer" prefix is required (OpenAI: yes, Anthropic: no)
- Ensure API key has necessary permissions for the model/endpoint
- Verify organization/project ID if required
- Check if API key is active and not revoked
Proper Environment Variable Setup
The most common cause of authentication errors is improper API key storage and retrieval. Best practices are covered inOpenAI's error handling guide andcommunity troubleshooting discussions.
Best Practice: Using .env Files
# .env file (never commit this!)
OPENAI_API_KEY=sk-abc123...
ANTHROPIC_API_KEY=sk-ant-api03...
GOOGLE_API_KEY=AIzaSy...
# .env.example (commit this instead)
OPENAI_API_KEY=your-openai-api-key-here
ANTHROPIC_API_KEY=your-anthropic-api-key-here
GOOGLE_API_KEY=your-google-api-key-herePython: Secure Key Loading
import os
from pathlib import Path
from dotenv import load_dotenv
import sys
# Load environment variables
load_dotenv()
class APIKeyManager:
"""Secure API key management with validation"""
@staticmethod
def get_api_key(provider: str) -> str:
"""Get and validate API key for provider"""
# Define key patterns
key_patterns = {
'openai': {
'env_var': 'OPENAI_API_KEY',
'prefix': 'sk-',
'length': 48
},
'anthropic': {
'env_var': 'ANTHROPIC_API_KEY',
'prefix': 'sk-ant-',
'min_length': 20
}
}
config = key_patterns.get(provider)
if not config:
raise ValueError(f"Unknown provider: {provider}")
# Try to get key from environment
api_key = os.getenv(config['env_var'])
# Fallback to file-based storage
if not api_key:
key_file = Path.home() / f'.{provider}' / 'api_key'
if key_file.exists():
api_key = key_file.read_text().strip()
# Validate key
if not api_key:
raise ValueError(
f"No API key found for {provider}. "
f"Set {config['env_var']} environment variable."
)
# Remove common copy/paste errors
api_key = api_key.strip().replace('\n', '').replace(' ', '')
# Validate format
if config.get('prefix') and not api_key.startswith(config['prefix']):
raise ValueError(
f"Invalid {provider} API key format. "
f"Expected to start with '{config['prefix']}'"
)
if config.get('length') and len(api_key) != config['length']:
raise ValueError(
f"Invalid {provider} API key length. "
f"Expected {config['length']} characters, got {len(api_key)}"
)
return api_key
# Usage
try:
openai_key = APIKeyManager.get_api_key('openai')
print("✓ OpenAI API key loaded successfully")
except ValueError as e:
print(f"✗ Error: {e}")
sys.exit(1)TypeScript: Robust Authentication Setup
interface AuthConfig {
provider: string;
apiKey: string;
orgId?: string;
baseUrl?: string;
}
class AuthenticationManager {
private configs: Map<string, AuthConfig> = new Map();
constructor() {
this.loadConfigurations();
}
private loadConfigurations(): void {
// OpenAI configuration
const openaiKey = process.env.OPENAI_API_KEY?.trim();
if (openaiKey) {
this.validateAndStore('openai', {
provider: 'openai',
apiKey: openaiKey,
orgId: process.env.OPENAI_ORG_ID,
baseUrl: 'https://api.openai.com/v1'
});
}
// Anthropic configuration
const anthropicKey = process.env.ANTHROPIC_API_KEY?.trim();
if (anthropicKey) {
this.validateAndStore('anthropic', {
provider: 'anthropic',
apiKey: anthropicKey,
baseUrl: 'https://api.anthropic.com/v1'
});
}
}
private validateAndStore(provider: string, config: AuthConfig): void {
// Remove common formatting issues
config.apiKey = config.apiKey
.replace(/\s+/g, '') // Remove all whitespace
.replace(/\\n/g, ''); // Remove escaped newlines
// Provider-specific validation
switch (provider) {
case 'openai':
if (!config.apiKey.startsWith('sk-')) {
throw new Error('OpenAI API key must start with "sk-"');
}
if (config.apiKey.length !== 51) { // sk- + 48 chars
console.warn('OpenAI API key has unexpected length');
}
break;
case 'anthropic':
if (!config.apiKey.startsWith('sk-ant-')) {
throw new Error('Anthropic API key must start with "sk-ant-"');
}
break;
}
this.configs.set(provider, config);
}
getHeaders(provider: string): Record<string, string> {
const config = this.configs.get(provider);
if (!config) {
throw new Error(`No configuration found for provider: ${provider}`);
}
const headers: Record<string, string> = {
'Content-Type': 'application/json',
};
// Provider-specific headers
switch (provider) {
case 'openai':
headers['Authorization'] = `Bearer ${config.apiKey}`;
if (config.orgId) {
headers['OpenAI-Organization'] = config.orgId;
}
break;
case 'anthropic':
headers['x-api-key'] = config.apiKey;
headers['anthropic-version'] = '2023-06-01';
break;
case 'google':
headers['X-API-Key'] = config.apiKey;
break;
}
return headers;
}
async testAuthentication(provider: string): Promise<boolean> {
try {
const headers = this.getHeaders(provider);
const config = this.configs.get(provider)!;
// Test endpoints by provider
const testEndpoints: Record<string, string> = {
openai: '/models',
anthropic: '/messages',
google: '/models',
};
const response = await fetch(
`${config.baseUrl}${testEndpoints[provider] || '/models'}`,
{ headers, method: 'GET' }
);
if (response.status === 401) {
const error = await response.json();
console.error(`Authentication failed for ${provider}:`, error);
return false;
}
return response.ok;
} catch (error) {
console.error(`Failed to test ${provider} authentication:`, error);
return false;
}
}
}
// Usage
const authManager = new AuthenticationManager();
// Test authentication
const providers = ['openai', 'anthropic'];
for (const provider of providers) {
const isValid = await authManager.testAuthentication(provider);
console.log(`${provider}: ${isValid ? '✓' : '✗'}`);
}Debugging Authentication Issues
1. Verify API Key Format
# Check for hidden characters
echo -n "$OPENAI_API_KEY" | od -c
# Validate length
echo -n "$OPENAI_API_KEY" | wc -c
# Test with curl (verbose mode)
curl -v https://api.openai.com/v1/models \
-H "Authorization: Bearer $OPENAI_API_KEY" \
-H "Content-Type: application/json"2. Common Copy/Paste Issues
❌ Wrong
# Extra newline
OPENAI_API_KEY=sk-abc123...
↩
# Quotes included
OPENAI_API_KEY="sk-abc123..."
# Space at end
OPENAI_API_KEY=sk-abc123... ✅ Correct
# Clean, no extras
OPENAI_API_KEY=sk-abc123...
# Properly trimmed
OPENAI_API_KEY=sk-abc123...
# No hidden chars
OPENAI_API_KEY=sk-abc123...3. Request Interceptor for Debugging
// Add request interceptor to log headers
const debugInterceptor = (config) => {
console.log('🔍 Request Debug Info:');
console.log('URL:', config.url);
console.log('Headers:', {
...config.headers,
// Mask sensitive data
'Authorization': config.headers.Authorization
? `Bearer ${config.headers.Authorization.substring(7, 15)}...`
: 'Not set',
'x-api-key': config.headers['x-api-key']
? `${config.headers['x-api-key'].substring(0, 10)}...`
: 'Not set'
});
return config;
};
// Axios
axios.interceptors.request.use(debugInterceptor);
// Fetch wrapper
const debugFetch = async (url, options = {}) => {
debugInterceptor({ url, ...options });
return fetch(url, options);
};Handling Permission & Scope Errors
OpenAI Organization Access
import openai
# Set both API key and organization
openai.api_key = os.getenv("OPENAI_API_KEY")
openai.organization = os.getenv("OPENAI_ORG_ID") # org-xxxxx
# Or use in headers directly
headers = {
"Authorization": f"Bearer {api_key}",
"OpenAI-Organization": "org-xxxxx" # Required for org access
}Google Cloud Service Account
from google.oauth2 import service_account
import google.auth.transport.requests
# Load service account credentials
credentials = service_account.Credentials.from_service_account_file(
'path/to/service-account-key.json',
scopes=['https://www.googleapis.com/auth/cloud-platform']
)
# Get access token
auth_req = google.auth.transport.requests.Request()
credentials.refresh(auth_req)
access_token = credentials.token
# Use in requests
headers = {
'Authorization': f'Bearer {access_token}',
'Content-Type': 'application/json'
}Security Best Practices
Do's
- ✓ Use environment variables
- ✓ Add .env to .gitignore
- ✓ Rotate keys regularly
- ✓ Use separate keys for dev/prod
- ✓ Store keys in secure vaults
- ✓ Implement key validation
- ✓ Monitor authentication failures
Don'ts
- ✗ Never hardcode API keys
- ✗ Don't commit keys to git
- ✗ Don't share keys in logs
- ✗ Don't use same key everywhere
- ✗ Don't ignore expiration dates
- ✗ Don't store keys in frontend
- ✗ Don't send keys in URLs
API Key Rotation Strategy
import threading
import time
from datetime import datetime, timedelta
class APIKeyRotationManager:
"""Manage API key rotation with zero downtime"""
def __init__(self):
self.active_keys = {}
self.pending_keys = {}
self.rotation_schedule = {}
def schedule_rotation(self, provider: str, days: int = 90):
"""Schedule automatic key rotation"""
next_rotation = datetime.now() + timedelta(days=days)
self.rotation_schedule[provider] = next_rotation
# Set up rotation timer
def rotate():
self.rotate_key(provider)
self.schedule_rotation(provider, days) # Reschedule
timer = threading.Timer(days * 86400, rotate)
timer.daemon = True
timer.start()
def rotate_key(self, provider: str, new_key: str = None):
"""Rotate API key with grace period"""
# Generate or use provided new key
if not new_key:
new_key = self.generate_new_key(provider)
# Test new key before activation
if not self.test_key(provider, new_key):
raise ValueError("New key validation failed")
# Store old key temporarily
old_key = self.active_keys.get(provider)
if old_key:
self.pending_keys[f"{provider}_old"] = old_key
# Activate new key
self.active_keys[provider] = new_key
# Grace period before revoking old key
if old_key:
def revoke_old():
self.revoke_key(provider, old_key)
del self.pending_keys[f"{provider}_old"]
timer = threading.Timer(300, revoke_old) # 5 min grace
timer.daemon = True
timer.start()
print(f"✓ Rotated {provider} API key successfully")
def test_key(self, provider: str, api_key: str) -> bool:
"""Test if API key is valid"""
test_endpoints = {
'openai': 'https://api.openai.com/v1/models',
'anthropic': 'https://api.anthropic.com/v1/messages',
}
# Implementation depends on provider
# Return True if key is valid
return True
def get_active_key(self, provider: str) -> str:
"""Get current active key for provider"""
key = self.active_keys.get(provider)
if not key:
raise ValueError(f"No active key for {provider}")
return key
# Usage
rotation_manager = APIKeyRotationManager()
# Schedule automatic rotation every 90 days
rotation_manager.schedule_rotation('openai', days=90)
# Manual rotation
rotation_manager.rotate_key('openai', 'sk-new-key-here')Multi-Provider Authentication
class MultiProviderAuthClient {
private providers: Map<string, ProviderConfig> = new Map();
constructor() {
this.initializeProviders();
}
private initializeProviders(): void {
// Load all provider configurations
const providers = [
{
name: 'openai',
apiKey: process.env.OPENAI_API_KEY,
baseUrl: 'https://api.openai.com/v1',
authHeader: 'Authorization',
authFormat: 'Bearer {key}'
},
{
name: 'anthropic',
apiKey: process.env.ANTHROPIC_API_KEY,
baseUrl: 'https://api.anthropic.com/v1',
authHeader: 'x-api-key',
authFormat: '{key}'
},
{
name: 'google',
apiKey: process.env.GOOGLE_API_KEY,
baseUrl: 'https://generativelanguage.googleapis.com/v1',
authHeader: 'X-API-Key',
authFormat: '{key}'
}
];
for (const provider of providers) {
if (provider.apiKey) {
this.providers.set(provider.name, provider);
}
}
}
async makeAuthenticatedRequest(
provider: string,
endpoint: string,
options: RequestInit = {}
): Promise<Response> {
const config = this.providers.get(provider);
if (!config) {
throw new Error(`Provider ${provider} not configured`);
}
// Build auth header
const authValue = config.authFormat.replace('{key}', config.apiKey);
const headers = {
[config.authHeader]: authValue,
'Content-Type': 'application/json',
...options.headers
};
try {
const response = await fetch(`${config.baseUrl}${endpoint}`, {
...options,
headers
});
if (response.status === 401) {
throw new AuthenticationError(
`Authentication failed for ${provider}: ${response.statusText}`
);
}
if (response.status === 403) {
throw new PermissionError(
`Permission denied for ${provider}: ${response.statusText}`
);
}
return response;
} catch (error) {
// Enhanced error logging
console.error(`[${provider}] Request failed:`, {
endpoint,
error: error.message,
status: error.response?.status
});
throw error;
}
}
// Convenience methods for each provider
async openai(endpoint: string, options?: RequestInit) {
return this.makeAuthenticatedRequest('openai', endpoint, options);
}
async anthropic(endpoint: string, options?: RequestInit) {
return this.makeAuthenticatedRequest('anthropic', endpoint, options);
}
async google(endpoint: string, options?: RequestInit) {
return this.makeAuthenticatedRequest('google', endpoint, options);
}
}
// Usage
const client = new MultiProviderAuthClient();
// Make authenticated requests
const models = await client.openai('/models');
const messages = await client.anthropic('/messages', {
method: 'POST',
body: JSON.stringify({
model: 'claude-3-opus-20240229',
messages: [{ role: 'user', content: 'Hello' }]
})
});Advanced Troubleshooting
When Nothing Else Works
- 1. Regenerate your API key
Sometimes keys get corrupted or cached incorrectly. Generate a fresh key.
- 2. Check provider status
Visit provider status pages to ensure services are operational.
- 3. Verify account status
Ensure your account is active, verified, and has necessary permissions.
- 4. Test with minimal code
# Minimal test with curl curl https://api.openai.com/v1/models \ -H "Authorization: Bearer YOUR_KEY_HERE" - 5. Check firewall/proxy settings
Corporate networks may block API requests. Test from different network.
Key Rotation
Learn to rotate API keys without downtime.
Rotation guide →Security Guide
Best practices for API key security.
Security practices →Provider Setup
Step-by-step setup for each provider.
Setup guides →References
- [1] OpenAI. "Error Codes Reference" (2024)
- [2] Anthropic. "API Error Codes" (2025)
- [3] Google Cloud. "Vertex AI Error Codes" (2025)
- [4] OpenAI Community. "Authentication Error Troubleshooting" (2025)
- [5] Anthropic. "Security Best Practices" (2025)
- [6] Google Cloud. "Authentication Security" (2024)
- [7] Google Cloud. "Service Account Key Management" (2024)
- [8] Microsoft Azure. "Azure OpenAI Authentication Fixes" (2025)