Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Mintplex-Labs/anything-llm/llms.txt

Use this file to discover all available pages before exploring further.

Every request to the AnythingLLM API must be authenticated with a valid API key. Keys are issued through the admin panel and are passed as a Bearer token in the Authorization header. There is no separate login step or OAuth flow — as long as the key is present and matches a key stored in your instance, the request is authorised.

Generating an API Key

API keys are managed entirely within your AnythingLLM instance:
  1. Open your AnythingLLM instance in a browser.
  2. Navigate to Settings → API Keys.
  3. Click Generate New API Key.
  4. Copy the key immediately — it will not be shown again in full after you leave the page.
Store your API key in a secrets manager or environment variable — never hard-code it in client-side code or commit it to source control. If a key is compromised, delete it from Settings → API Keys immediately and generate a replacement. Old keys are permanently invalidated the moment they are deleted.

Passing the Key in Requests

Include the API key on every API request as a Bearer token in the Authorization HTTP header:
Authorization
string
required
Bearer token used to authenticate the request. Format: Bearer YOUR_API_KEY.Example: Authorization: Bearer ABC-1234-XXXX
curl -X GET "http://your-instance:3001/api/v1/auth" \
  -H "Authorization: Bearer YOUR_API_KEY"
The key format produced by AnythingLLM looks like a hyphen-separated alphanumeric string (generated by the uuid-apikey library), for example: ABC-1234-XXXX-YYYY.

Verifying Your API Key

Before making application calls you can verify a key is valid by hitting the dedicated auth endpoint. This is useful as a health-check, during CI/CD pipelines, or when debugging connectivity issues. Endpoint: GET /api/v1/auth
curl -X GET "http://your-instance:3001/api/v1/auth" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Responses

200 OK — key is valid:
{
  "authenticated": true
}
403 Forbidden — key is missing or invalid:
{
  "error": "No valid api key found."
}

Authenticated Request Example

Here is a complete example of a workspace chat request with the Authorization header included:
curl -X POST "http://your-instance:3001/api/v1/workspace/my-workspace/chat" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "What is AnythingLLM?",
    "mode": "chat"
  }'

Single-User vs Multi-User Mode

API key behaviour differs slightly depending on how your instance is configured:
ModeKey scopeNotes
Single-userInstance-wideOne or more keys may be created; all have full access to the API.
Multi-userInstance-wideKeys are created by admins and carry admin-level permissions. Regular user sessions use JWT session tokens, not API keys.
Admin-only endpoints (under /v1/admin/) are only accessible when multi-user mode is enabled. Calling them on a single-user instance returns 401 — Instance is not in Multi-User mode. Method denied.

Environment Variables

AnythingLLM exposes several environment variables in server/.env that relate to authentication. These are distinct from API keys and primarily control session tokens used by the browser UI.
VariableDefaultDescription
JWT_SECRET(required)Random string (min 12 chars) used to sign session JWTs. Rotate this to invalidate all active UI sessions.
JWT_EXPIRY30dExpiry duration for UI session tokens. Accepts any value valid for the ms library, e.g. 1d, 8h, 30d.
AUTH_TOKEN(unset)Password for single-user mode when you want to protect the UI login screen on a remote server.
DISABLE_SWAGGER_DOCSfalseSet to true to disable the interactive Swagger UI at /api/docs. Has no effect on API functionality.
JWT_SECRET and AUTH_TOKEN apply only to browser-based sessions. API key authentication is entirely separate — changing JWT_SECRET does not invalidate existing API keys.

Error Reference

All authentication errors return HTTP 403 with a JSON body:
{
  "error": "No valid api key found."
}
HTTP StatusCause
403Authorization header is missing, malformed, or contains an unknown key
401The endpoint requires multi-user mode which is not enabled
If you receive a 403 on a request you believe should succeed, check that:
  • The Authorization header is spelled correctly and uses the Bearer prefix (note the trailing space).
  • The key has not been deleted from Settings → API Keys.
  • You are targeting the correct instance URL and port.

Build docs developers (and LLMs) love