Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.livepeer.org/llms.txt

Use this file to discover all available pages before exploring further.

Authentication requirements depend on which gateway you target. The community gateway at dream-gateway.livepeer.cloud accepts unauthenticated requests for development and testing. Managed gateway providers and self-hosted gateways require a Bearer token in the Authorization header.

API key types

Gateway providers that require authentication issue two key types: A backend key in client-side code is a critical security vulnerability. Use the correct type for the deployment context.

Using a backend API key

Pass the key as a Bearer token in the Authorization header: 
curl -X POST https://dream-gateway.livepeer.cloud/text-to-image \
  -H "Authorization: Bearer $LIVEPEER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"prompt": "a mountain at dawn", "model_id": "SG161222/RealVisXL_V4.0_Lightning"}'
In environment variables: 
# .env (never commit this file)
LIVEPEER_API_KEY=your-api-key-here

// Never hardcode; always read from environment
const client = new Livepeer({ apiKey: process.env.LIVEPEER_API_KEY });

CORS-enabled keys for browser applications

When your frontend makes direct API calls, use a CORS-enabled key scoped to specific asset or stream IDs. A leaked CORS key cannot access other resources in your account. 
// Safe to bundle in a React or Next.js frontend
const client = new Livepeer({
  apiKey: process.env.NEXT_PUBLIC_LIVEPEER_CORS_KEY, // CORS-enabled key
});
The NEXT_PUBLIC_ prefix makes the variable available client-side in Next.js. Do not use this prefix for backend API keys.

Self-hosted gateway authentication

Self-hosted gateways (go-livepeer in broadcaster mode) use a different authentication model. The gateway authenticates to the network via its Ethereum keystore and TicketBroker deposit. Client requests to your self-hosted gateway use whatever authentication layer you add in front of it (reverse proxy, API gateway, or application middleware). For production, pymthouse provides OIDC identity, usage-based billing, and a managed payment signer as a hosted or self-hosted backend for your self-hosted gateway.

Key rotation

Rotate API keys on a schedule and immediately if a key is exposed. Gateway providers let you create multiple active keys and delete compromised ones without downtime. Recommended rotation schedule:
  • Production backend keys: every 90 days
  • After any team member offboarding
  • Immediately after any suspected exposure
Keep API keys out of version control. If a key appears in a commit, treat it as compromised and rotate immediately.

Authentication errors

A 401 Unauthorized response means the key is missing, malformed, or invalid: 
{"error": "Unauthorized", "message": "Invalid API key"}
Check:
  1. The Authorization header is present and formatted as Bearer <key> (not Bearer: <key>)
  2. The key value has no leading or trailing whitespace
  3. The key has not been deleted or revoked
  4. You are using a backend key for a server-side request, not a CORS key
  5. You are not targeting the community gateway with an auth header (it does not require one)
See job debugging for the full error diagnosis flow.
Last modified on May 19, 2026