Authentication

Learn how to authenticate API requests with your API key.

Overview

Aluo API uses API Keys for authentication. Each API Key is associated with your account and inherits your account's credit balance and user tier (Free/PRO). All API requests must include a valid API Key in the HTTP header.

Get Your API Key

  1. Log in to your Aluo account
  2. Click your avatar in the top right corner to open user settings
  3. Switch to the "API" tab
  4. Click "Create New Key" button
  5. Set a name for the key (optional)
  6. Copy the generated API Key and store it securely

Important: The API Key is only shown once during creation. Please copy and save it immediately in a secure location. If lost, you will need to delete the old key and create a new one.

API Key Format

Aluo API Keys are prefixed with "sk-" followed by a randomly generated string:

sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Using Your API Key

Include your API Key in the HTTP header of each API request:

Authorization: Bearer sk-your-api-key-here

Example Request

cURL

curl -X POST https://api.aluo.ai/api/remove-bg \
  -H "Authorization: Bearer sk-your-api-key-here" \
  -H "Content-Type: multipart/form-data" \
  -F "imageUrl=https://example.com/image.jpg"

Node.js

const fetch = require('node-fetch');
const FormData = require('form-data');

const form = new FormData();
form.append('imageUrl', 'https://example.com/image.jpg');

const response = await fetch('https://api.aluo.ai/api/remove-bg', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk-your-api-key-here'
  },
  body: form
});

const data = await response.json();
console.log(data);

Python

import requests

headers = {
    'Authorization': 'Bearer sk-your-api-key-here'
}

data = {
    'imageUrl': 'https://example.com/image.jpg'
}

response = requests.post(
    'https://api.aluo.ai/api/remove-bg',
    headers=headers,
    data=data
)

result = response.json()
print(result)

Managing API Keys

  • View Keys: View all created API Keys in User Settings > API Tab
  • Delete Keys: Click the delete button next to a key. The key becomes invalid immediately after deletion.
  • Key Limit: Each account can have up to 10 active API Keys

Security Best Practices

  • Never expose API Key in client-side code
    Do not hardcode API Keys in browser JavaScript, mobile apps, or public code repositories.
  • Server-side only
    All API calls should be made from your backend server, not directly from the frontend.
  • Use environment variables
    Store API Keys in environment variables and never commit them to version control.
  • Rotate keys regularly
    Regularly create new keys and delete old ones, especially if a key may have been compromised.
  • Monitor usage
    Check API usage in User Settings > Usage to detect any abnormal activity.