Every request to the Vast.ai API must include an API key. This page covers how to create keys, how to include them in requests, and key lifecycle details.
Create an API Key
Generate a key from the Keys page in the web console:
- Click +New.
- Give the key a name (optional but recommended — e.g. “CI pipeline” or “notebook”).
- Copy the key immediately — you’ll only see it once.
Use an API Key
Include your key as a Bearer token in the Authorization header:
curl -s -H "Authorization: Bearer $VAST_API_KEY" \
"https://console.vast.ai/api/v0/users/current/"
export VAST_API_KEY="your-api-key-here"
If you get a 401 Unauthorized or 403 Forbidden response, double-check your API key. The most common causes are a typo, an expired key, or a scoped key that lacks the required permission for the endpoint you’re calling.
Verify Your Key
A quick way to confirm your key works is to fetch your account info:
curl -s -H "Authorization: Bearer $VAST_API_KEY" \
"https://console.vast.ai/api/v0/users/current/"
{
"id": 123456,
"email": "you@example.com",
"credit": 25.00,
"ssh_key": "ssh-rsa AAAAB3..."
}
Scoped Keys and Permissions
By default, the web console creates a full-access key. For CI/CD pipelines, shared tooling, or team environments, you should create scoped keys that restrict access to only the permissions you need.
For example, a key that can only read and manage instances (but cannot access billing):
{
"api": {
"misc": {},
"user_read": {},
"instance_read": {},
"instance_write": {}
}
}
Key Expiration
API keys do not expire by default. You can revoke a key at any time from the Keys page or by calling the Delete API Key endpoint.
Treat your API key like a password. Do not commit keys to version control or share them in plaintext. If a key is compromised, revoke it immediately and create a new one.
