Every request to the AnythingLLM API must be authenticated with a valid API key. Keys are issued through the admin panel and are passed as a Bearer token in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Mintplex-Labs/anything-llm/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. There is no separate login step or OAuth flow — as long as the key is present and matches a key stored in your instance, the request is authorised.
Generating an API Key
API keys are managed entirely within your AnythingLLM instance:- Open your AnythingLLM instance in a browser.
- Navigate to Settings → API Keys.
- Click Generate New API Key.
- Copy the key immediately — it will not be shown again in full after you leave the page.
Passing the Key in Requests
Include the API key on every API request as a Bearer token in theAuthorization HTTP header:
Bearer token used to authenticate the request. Format:
Bearer YOUR_API_KEY.Example: Authorization: Bearer ABC-1234-XXXXuuid-apikey library), for example: ABC-1234-XXXX-YYYY.
Verifying Your API Key
Before making application calls you can verify a key is valid by hitting the dedicated auth endpoint. This is useful as a health-check, during CI/CD pipelines, or when debugging connectivity issues. Endpoint:GET /api/v1/auth
Responses
200 OK — key is valid:Authenticated Request Example
Here is a complete example of a workspace chat request with theAuthorization header included:
Single-User vs Multi-User Mode
API key behaviour differs slightly depending on how your instance is configured:| Mode | Key scope | Notes |
|---|---|---|
| Single-user | Instance-wide | One or more keys may be created; all have full access to the API. |
| Multi-user | Instance-wide | Keys are created by admins and carry admin-level permissions. Regular user sessions use JWT session tokens, not API keys. |
Admin-only endpoints (under
/v1/admin/) are only accessible when multi-user mode is enabled. Calling them on a single-user instance returns 401 — Instance is not in Multi-User mode. Method denied.Environment Variables
AnythingLLM exposes several environment variables inserver/.env that relate to authentication. These are distinct from API keys and primarily control session tokens used by the browser UI.
| Variable | Default | Description |
|---|---|---|
JWT_SECRET | (required) | Random string (min 12 chars) used to sign session JWTs. Rotate this to invalidate all active UI sessions. |
JWT_EXPIRY | 30d | Expiry duration for UI session tokens. Accepts any value valid for the ms library, e.g. 1d, 8h, 30d. |
AUTH_TOKEN | (unset) | Password for single-user mode when you want to protect the UI login screen on a remote server. |
DISABLE_SWAGGER_DOCS | false | Set to true to disable the interactive Swagger UI at /api/docs. Has no effect on API functionality. |
Error Reference
All authentication errors return HTTP403 with a JSON body:
| HTTP Status | Cause |
|---|---|
403 | Authorization header is missing, malformed, or contains an unknown key |
401 | The endpoint requires multi-user mode which is not enabled |
403 on a request you believe should succeed, check that:
- The
Authorizationheader is spelled correctly and uses theBearerprefix (note the trailing space). - The key has not been deleted from Settings → API Keys.
- You are targeting the correct instance URL and port.