Authentication

To access the Sim API, you need an API key. Sim supports two types of API keys — personal keys and workspace keys — each with different billing and access behaviors.

Key Types

Personal KeysWorkspace Keys
BillingWorkspace payer for workspace-hosted usageWorkspace payer
ScopeAcross workspaces you have access toShared across the workspace
Managed byEach user individuallyWorkspace admins
PermissionsMust be enabled at workspace levelRequire admin permissions

Personal keys identify the user making a request; they do not select who pays. Hosted usage is billed to the workspace's organization or personal billing account and, for organizations, is attributed to the actor's member cap. Workspace admins can disable personal API key usage for their workspace. If disabled, only workspace keys can be used.

Generating API Keys

To generate a personal key, open Account settingsSim API keys. Workspace administrators can create shared keys from Workspace settingsSim API keys.

API keys are only shown once when generated. Store your key securely — you will not be able to view it again.

Using API Keys

Pass your API key in the X-API-Key header with every request:

curl -X POST https://www.sim.ai/api/workflows/{workflowId}/execute \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY" \
  -d '{"inputs": {}}'
const response = await fetch(
  'https://www.sim.ai/api/workflows/{workflowId}/execute',
  {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-API-Key': process.env.SIM_API_KEY!,
    },
    body: JSON.stringify({ inputs: {} }),
  }
)
import requests

response = requests.post(
    "https://www.sim.ai/api/workflows/{workflowId}/execute",
    headers={
        "Content-Type": "application/json",
        "X-API-Key": os.environ["SIM_API_KEY"],
    },
    json={"inputs": {}},
)

Where Keys Are Used

API keys authenticate access to:

  • Workflow execution — run deployed workflows via the API
  • Logs API — query workflow execution logs and metrics
  • MCP servers — authenticate connections to deployed MCP servers
  • SDKs — the Python and TypeScript SDKs use API keys for all operations

Security

  • Keys use the sk-sim- prefix and are encrypted at rest
  • Keys can be revoked at any time from the dashboard
  • Use environment variables to store keys — never hardcode them in source code
  • For browser-based applications, use a backend proxy to avoid exposing keys to the client

Never expose your API key in client-side code. Use a server-side proxy to make authenticated requests on behalf of your frontend.

On this page