Authentication
The Civitai site API uses bearer tokens generated from your account settings. A single token covers every endpoint that accepts authentication.
How to pass the token
Two methods are supported. The header form is strongly preferred; the query-param form exists mainly for download-tool compatibility and leaks the token into access logs and caches.
Authorization header (preferred)
curl -H "Authorization: Bearer $CIVITAI_TOKEN" \
"https://civitai.com/api/v1/me"Query parameter
curl "https://civitai.com/api/v1/me?token=$CIVITAI_TOKEN"Which endpoints require a token?
Endpoints fall into three categories:
| Category | Behavior without a token | Examples |
|---|---|---|
| Public | Full access. | GET /creators, GET /tags, GET /images, GET /models/{id}, GET /model-versions/* |
| Mixed | Accessible, but some filter params or fields may be unavailable. | GET /models (the favorites and hidden query params require auth) |
| Authenticated | 401 Unauthorized. | GET /me |
Each page in the Reference notes which category an endpoint falls into.
What 401 looks like
Calling an authenticated endpoint without a token — or with an invalid one — returns:
HTTP/2 401
Content-Type: application/json
{"error":"Unauthorized"}Mixed endpoints silently degrade to anonymous access when no token is provided; they only return 401 if you pass an auth-only filter (e.g. ?favorites=true) without a valid session.
Caching and auth
Public endpoints set Cache-Control: public, s-maxage=300, stale-while-revalidate=150 — responses are cached for 5 minutes at the edge. When you call an endpoint with a valid token, caching is skipped so personalized responses aren't shared.
CORS is open for public endpoints (Access-Control-Allow-Origin: *); authenticated requests are restricted to Civitai-owned origins.
Security tips
- Tokens are account-scoped. Rotating one means rotating everywhere it's used.
- If you suspect a leak, delete the key from your account settings and issue a new one.
- Prefer the
Authorizationheader over?token=; query params end up in server logs, browser history, and proxy caches. - Never embed a token in client-side code shipped to browsers or mobile apps.