Authentication in oMLX is optional by design. When you run the server on localhost without setting an API key, every request is accepted without any credentials. This is the recommended configuration for local development and personal use where the server is not exposed to a network. If you do expose oMLX on a LAN or over the internet, enabling an API key is strongly recommended.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/jundot/omlx/llms.txt
Use this file to discover all available pages before exploring further.
Enabling API key authentication
Set the API key at startup
Pass The key is persisted to
--api-key when launching the server:~/.omlx/settings.json, so subsequent server restarts require the key automatically.Passing the API key in requests
Once an API key is set, every API request must include it as a Bearer token in theAuthorization header:
x-api-key header instead. oMLX accepts both headers for full SDK compatibility:
Using sub-keys
The admin panel lets you create sub-keys — additional API keys scoped to API access only. Sub-keys are useful for granting access to specific clients (e.g., a coding agent) without sharing your main key. All sub-keys are checked alongside the main key on every request.Skipping verification for localhost
If you set an API key but want to allow localhost clients to skip presenting it — for example, when running browser-based tools on the same machine — you can enable Skip API key verification in the admin panel under Global Settings → Authentication. With this option on, the key is still required for remote connections but localhost requests are accepted without credentials.The skip-verification option is intended for local development convenience only. Do not enable it if oMLX is accessible from other machines on your network.
Error response
When authentication fails, the server returns HTTP401 Unauthorized:
Authorization header or x-api-key header is present when a key is configured, the response is: