What is the primary authentication method for Together AI?

Together AI primarily uses API keys for authentication, which are passed as Bearer tokens in the Authorization header of HTTP requests.

How do I get my Together AI API key?

You can generate your API key by logging into your Together AI developer console or dashboard and navigating to the API key management section.

Can I hardcode my API key directly into my application?

No, it is strongly advised against hardcoding API keys. They should be treated as sensitive secrets and stored securely, preferably using environment variables or a secret management service.

What happens if my Together AI API key is compromised?

If your API key is compromised, an unauthorized entity could gain access to your Together AI account and incur usage charges. You should immediately revoke the compromised key and generate a new one from your developer console.

Does Together AI support OAuth 2.0?

Together AI's direct API access primarily uses API keys. While OAuth 2.0 is a common standard for delegated authorization, Together AI's current documentation focuses on API key authentication for direct integration.

How often should I rotate my Together AI API keys?

Regular rotation of API keys is a good security practice. The frequency depends on your organization's security policy and risk assessment, but periodic rotation (e.g., every 90 days) is generally recommended.

Are Together AI API calls encrypted?

Yes, all API requests to Together AI are made over HTTPS (TLS), ensuring that communication, including your API key, is encrypted during transit.

Together AI Authentication: API Key Setup & Security (2026)

Together AI authentication primarily relies on API keys for securing access to its inference and fine-tuning services. These keys are used to verify the identity of the client making requests, ensuring that only authorized users can interact with the platform's large language models and serverless GPUs. Proper management of these keys is essential for maintaining the security and integrity of your AI applications.

Authentication overview

Together AI utilizes API keys as the primary mechanism for authenticating requests to its platform. This method ensures that all interactions with the Together AI Inference API and fine-tuning services are authorized. An API key acts as a unique identifier and secret token, which clients must include with each request to verify their identity and permissions.

The authentication process typically involves sending the API key in the Authorization header of HTTP requests. This approach aligns with common practices for securing web APIs, where a bearer token model is frequently adopted. The API key grants access to the resources associated with the user account that generated it, including the ability to run various open-source large language models (LLMs) and manage fine-tuning jobs.

Together AI provides a developer console for managing API keys, allowing users to generate new keys, revoke existing ones, and monitor API usage. This centralized management helps maintain control over access to the platform's resources. The system is designed to provide a straightforward developer experience, enabling quick integration and secure operation of AI applications.

Supported authentication methods

Together AI primarily supports API key authentication for accessing its services. This method is consistent across its various APIs, including the inference API for running LLMs and the fine-tuning API for custom model development. The API key functions as a bearer token, which is a common pattern in modern API security.

The table below summarizes the supported authentication method, its typical use cases, and the general security level it provides:

Method	When to Use	Security Level
API Key (Bearer Token)	All API interactions (inference, fine-tuning, data management)	High (when managed securely)

API keys are strings that grant access to your Together AI account. They should be treated as sensitive credentials, similar to passwords. The platform's infrastructure is built with security in mind, including SOC 2 Type II compliance, which indicates adherence to specific security and availability controls.

While API keys are the primary method, developers are encouraged to implement additional security measures on their end, such as environment variable storage and regular key rotation, to enhance overall security posture. For more complex scenarios requiring delegated access without sharing direct credentials, industry standards like OAuth 2.0 are often used, though Together AI's direct API access focuses on API keys.

Getting your credentials

To interact with Together AI's services, you will need to generate an API key from your Together AI account. This key serves as your credential for authenticating API requests.

Create an Account: If you don't already have one, sign up for a Together AI account on their homepage.
Access the Developer Console: Log in to your Together AI account. Navigate to the developer console or dashboard, which typically contains sections for API key management.
Generate a New API Key: Look for a section labeled "API Keys", "Settings", or "Credentials". There, you should find an option to "Create new key" or "Generate API key".
Name Your Key (Optional but Recommended): Some platforms allow you to assign a descriptive name to your API key. This helps in identifying the key's purpose, especially if you manage multiple keys for different applications or environments.
Copy the API Key: Once generated, the API key will be displayed. It is crucial to copy this key immediately and store it securely, as it may only be shown once for security reasons. If lost, you might need to generate a new one.
Store Securely: Store your API key in a secure location. Avoid hardcoding it directly into your application's source code. Recommended methods include using environment variables, a secure configuration management system, or a secret management service.

Together AI's official documentation provides detailed, step-by-step instructions for generating and managing API keys within their developer console.

Authenticated request example

Once you have obtained your Together AI API key, you can use it to authenticate your API requests. The API key must be included in the Authorization header of your HTTP requests as a Bearer token. Below are examples using cURL and Python, two of the primary languages supported for interaction with Together AI.

cURL Example

This cURL example demonstrates how to make a request to the Together AI Inference API, specifying a model and a prompt, while including the API key in the header.

curl https://api.together.xyz/v1/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOGETHER_AI_API_KEY" \
  -d '{ "model": "mistralai/Mistral-7B-Instruct-v0.2", "prompt": "What is the capital of France?", "max_tokens": 50 }'

Replace YOUR_TOGETHER_AI_API_KEY with your actual API key.

Python Example

The Together AI Python SDK simplifies interaction with the API. You typically set the API key as an environment variable or pass it directly when initializing the client.

import os
from together import Together

# It's recommended to store your API key as an environment variable
# For example: export TOGETHER_API_KEY="YOUR_TOGETHER_AI_API_KEY"
api_key = os.environ.get("TOGETHER_API_KEY")

if not api_key:
    raise ValueError("TOGETHER_API_KEY environment variable not set")

client = Together(api_key=api_key)

def get_completion(prompt):
    response = client.completions.create(
        model="mistralai/Mistral-7B-Instruct-v0.2",
        prompt=prompt,
        max_tokens=50
    )
    return response.choices[0].text

# Example usage
user_prompt = "Explain the concept of machine learning in simple terms."
completion_text = get_completion(user_prompt)
print(completion_text)

This Python code snippet demonstrates initializing the Together client with an API key retrieved from an environment variable and then making a completion request. This method is considered a best practice for handling sensitive credentials in code.

Security best practices

Securing your API keys is critical to prevent unauthorized access to your Together AI account and services. Adhering to the following best practices can significantly enhance the security posture of your applications.

Treat API Keys as Secrets: Your Together AI API key is as sensitive as a password. Never hardcode it directly into your application's source code, commit it to version control (like Git), or expose it in client-side code (e.g., JavaScript in a web browser) where it could be publicly accessible.
Use Environment Variables: Store API keys as environment variables on your server or development machine. This method keeps the key out of your codebase and allows for easy rotation without code changes. For example, in Linux/macOS, you can use export TOGETHER_API_KEY="your_key_here".
Utilize Secret Management Services: For production environments, consider using dedicated secret management services like AWS Secrets Manager, Google Secret Manager, Azure Key Vault, or HashiCorp Vault. These services provide secure storage, retrieval, and rotation of API keys and other sensitive credentials.
Restrict Access to Keys: Limit who has access to your API keys. Only authorized personnel should be able to view or modify them. Implement strong access controls for your development and production environments.
Regularly Rotate API Keys: Periodically generate new API keys and revoke old ones. This practice minimizes the risk if a key is compromised without your knowledge. The frequency of rotation depends on your security policy and risk assessment.
Implement Least Privilege: If Together AI introduces features for key-specific permissions in the future, always grant the minimum necessary permissions to each API key. This limits the damage if a key is compromised.
Monitor API Usage: Regularly review your API usage logs in the Together AI developer console. Anomalous patterns could indicate unauthorized use of your API key.
Secure Your Development Environment: Ensure your local development machine and any CI/CD pipelines are secure. Malicious software or misconfigurations can expose environment variables or configuration files containing API keys.
Use HTTPS/TLS: Always ensure that your API requests are made over HTTPS (TLS). This encrypts the communication between your application and Together AI's servers, protecting your API key from interception during transit. Together AI's API endpoints are designed to enforce HTTPS, but it's a good general practice to verify this in your client configurations, as highlighted by Mozilla's TLS security guidance.

Together AI Authentication: API Key Setup & Security (2026)

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

cURL Example

Python Example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by

Authentication overview

Supported authentication methods

Getting your credentials

Authenticated request example

cURL Example

Python Example

Security best practices

Related

Frequently asked questions

Reviews

Discussion

Written by