Most users do not need to handle authentication directly. Sign in at openrush.io, connect your AI agent from Setup, and OpenRush handles access for you.
Developers can also create API keys for server-side integrations.
Recommended path
Use the Dashboard:
API keys for developers
Send your key in the Authorization header:
curl "https://api.openrush.io/v1/me/credits" \
-H "Authorization: Bearer $OPENRUSH_KEY"
You can also send:
curl "https://api.openrush.io/v1/me/credits" \
-H "X-API-Key: $OPENRUSH_KEY"
API keys use the or_ prefix. The full key is returned only once when it is created. OpenRush stores a hash, fingerprint, and display prefix, not a retrievable raw key.
Dashboard sessions
When you use the Dashboard or OAuth-based MCP, OpenRush uses your signed-in account. You do not need to copy tokens manually.
For advanced integrations, public API routes can also accept a valid Dashboard session bearer token:
curl "https://api.openrush.io/v1/me/credits" \
-H "Authorization: Bearer $SUPABASE_ACCESS_TOKEN"
OpenRush maps that session to the same account used by API keys. This keeps credits, usage, and billing shared across Dashboard, API key, and MCP access.
Unauthenticated endpoints
This public endpoint does not require an API key:
| Method | Path | Purpose |
|---|
GET or POST | /v1/capabilities | Discover enabled tools and sources |
Create and revoke user credentials
You can create and revoke keys in API access, or use the account API directly.
Create a new key for the current account:
curl -X POST "https://api.openrush.io/v1/me/api-credentials" \
-H "Authorization: Bearer $OPENRUSH_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"production agent"}'
Revoke a key owned by the current account:
curl -X POST "https://api.openrush.io/v1/me/api-credentials/$CREDENTIAL_ID/revoke" \
-H "Authorization: Bearer $OPENRUSH_KEY"
Store the returned key immediately. It is shown once and cannot be retrieved later.