european_flag100% europeu
Authentication

Authenticate requests to Removit API

All requests to Removit API require API key authentication. This section explains the supported headers and the safest backend integration pattern for a production image processing API.

Authentication should live in your backend or proxy layer so the public client never exposes secrets while calling the asynchronous API.

Authenticated request

Upload with X-API-Key

This example uses the recommended X-API-Key header for a server-side JSON upload request.

curl -X POST "https://api.removit.eu/api/v1/upload" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: <YOUR_API_KEY>" \
  -d '{
    "file_url": "https://example.com/image.jpg",
    "mode": "background"
  }'

401 Unauthorized response

If the API key is missing or invalid, the API returns a 401 Unauthorized response and the request must be retried with valid credentials.

401 Unauthorized

Handle 401 responses explicitly in your backend so your clients receive a controlled integration error instead of a silent failure.

{
  "error": "unauthorized",
  "message": "API key missing"
}

Supported authentication methods

The API accepts two header formats. The recommended one for server-to-server integrations is X-API-Key.

Primary header

Use X-API-Key: <YOUR_API_KEY> for the clearest server-side integration pattern.

Alternative header

Authorization: Bearer <YOUR_API_KEY> is also accepted when you prefer a bearer-style scheme.

Recommended integration style

Keep the API key in environment variables and forward the request through your own backend.

Header reference

These are the practical header forms accepted by Removit API and commonly used in examples.

RecommendedX-API-Key: <YOUR_API_KEY>

More explicit for backend integrations and internal proxies.

AlternativeAuthorization: Bearer <YOUR_API_KEY>

Accepted if your platform standardizes on bearer tokens.

JSON uploadsContent-Type: application/json

Required when you send a file_url payload in JSON.

Where authentication is required

Authentication is not optional on the core workflow endpoints.

Upload endpointPOST /api/v1/upload

Required for remote URL uploads and multipart uploads.

Status endpointGET /api/v1/status

Required for every job status polling request.

Security best practices

These backend integration rules reduce accidental key leakage and make troubleshooting safer in production.

  • Never expose the API key in a public frontend application.
  • Store the key in environment variables or a secrets manager.
  • Use a backend, proxy, or worker to forward requests to Removit API.
  • Log authentication failures without logging the raw API key itself.
  • Treat 401 responses as first-class integration events with explicit retry or escalation behavior.

Recommended backend flow

In a frontend + backend architecture, the backend should own the Removit API request lifecycle.

01

Receive the image input from the frontend

The frontend submits either a file or a remote URL to your own backend.

02

Call Removit API from the backend

The backend injects the API key, creates the upload job, and stores the job_id.

03

Manage polling centrally

Your backend polls /status or relays the job state to the frontend without exposing secrets.