API Key Missing
api_key_missing401
No API key was included in the request. Add one to the Authorization header or X-API-Key header.
What this means
The request reached an authenticated endpoint but didn't include any credential. We don't know what you were trying to do — there's no key, no session, no token of any kind. The request was rejected before any business logic ran. This is purely structural: the header isn't there.
When you'll see this
- A new integration is missing the auth setup step entirely.
- A request was built by a tool (curl, Postman) without the auth header configured.
- An HTTP client lost the header during a redirect or proxy hop.
- The header name was set incorrectly (e.g.
apikeyinstead ofAuthorization: BearerorX-API-Key).
Learn more about how this works
Asterwise accepts API keys in two header formats: Authorization: Bearer <key> (OAuth-style) or X-API-Key: <key> (direct). Either works; pick one. When neither is present, we return api_key_missing rather than guessing. We don't fall back to query parameters or request body for keys — keys belong in headers because that's where they survive caching, logging hygiene, and proxy semantics correctly.
The most common gotcha: when this fires from production code that's been working, the header is usually being stripped somewhere. Check your HTTP client's redirect behavior (many strip Authorization on cross-origin redirects by default) and any reverse-proxy or API-gateway hops between your service and Asterwise.
Example response
{
"success": false,
"error": "api_key_missing",
"message": "API key is missing. Include it in the Authorization header as 'Bearer YOUR_KEY'.",
"details": [],
"retry_after": null,
"doc_url": "https://docs.asterwise.com/reference/errors/api_key_missing",
"request_id": "req_01HXYZABCDEFGH",
"timestamp": "2026-05-25T12:34:56Z"
}
- Get an API key at asterwise.com/dashboard.
- Add the header to your request:
Authorization: Bearer aw_your_key_here, orX-API-Key: aw_your_key_here
- Retry the request.
This is a configuration error in your client, not a runtime condition to handle gracefully. Surface during integration; don't catch in steady-state code.
Python:
Production handler
- Python
- TypeScript
import httpx
import os
def call_asterwise(url, payload):
api_key = os.environ["ASTERWISE_API_KEY"]
headers = {"Authorization": f"Bearer {api_key}"}
response = httpx.post(url, headers=headers, json=payload, timeout=30)
if response.status_code == 401:
body = response.json()
if body.get("error") == "api_key_missing":
raise RuntimeError(
"ASTERWISE_API_KEY not reaching server. "
"Check header construction and proxy config."
)
response.raise_for_status()
return response.json()
async function callAsterwise(url: string, payload: unknown) {
const apiKey = process.env.ASTERWISE_API_KEY!;
const response = await fetch(url, {
method: "POST",
headers: { Authorization: `Bearer ${apiKey}` },
body: JSON.stringify(payload),
});
if (response.status === 401) {
const body = await response.json();
if (body.error === "api_key_missing") {
throw new Error(
"ASTERWISE_API_KEY not reaching server. " +
"Check header construction and proxy config.",
);
}
}
if (!response.ok) throw new Error(`HTTP ${response.status}`);
return response.json();
}
Avoid this error by
- Store keys in environment variables, never in source code.
ASTERWISE_API_KEYshould be checked at startup, not per request. - Add a startup health check: call a cheap authenticated endpoint (e.g.
GET /v1/keys/me) once at boot to confirm credentials are wired correctly before serving traffic. - If you use a proxy, gateway, or service mesh, verify it forwards the
Authorizationheader. Many strip it by default for security. - For SDKs you write yourself, validate the API key parameter at construction time, not at first request.