Authentication
To access the Sim API, you need an API key. Sim supports two types of API keys — personal keys and workspace keys — each with different billing and access behaviors.
Key Types
| Personal Keys | Workspace Keys | |
|---|---|---|
| Billing | Workspace payer for workspace-hosted usage | Workspace payer |
| Scope | Across workspaces you have access to | Shared across the workspace |
| Managed by | Each user individually | Workspace admins |
| Permissions | Must be enabled at workspace level | Require admin permissions |
Personal keys identify the user making a request; they do not select who pays. Hosted usage is billed to the workspace's organization or personal billing account and, for organizations, is attributed to the actor's member cap. Workspace admins can disable personal API key usage for their workspace. If disabled, only workspace keys can be used.
Generating API Keys
To generate a personal key, open Account settings → Sim API keys. Workspace administrators can create shared keys from Workspace settings → Sim API keys.
API keys are only shown once when generated. Store your key securely — you will not be able to view it again.
Using API Keys
Pass your API key in the X-API-Key header with every request:
curl -X POST https://www.sim.ai/api/workflows/{workflowId}/execute \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY" \
-d '{"inputs": {}}'const response = await fetch(
'https://www.sim.ai/api/workflows/{workflowId}/execute',
{
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': process.env.SIM_API_KEY!,
},
body: JSON.stringify({ inputs: {} }),
}
)import requests
response = requests.post(
"https://www.sim.ai/api/workflows/{workflowId}/execute",
headers={
"Content-Type": "application/json",
"X-API-Key": os.environ["SIM_API_KEY"],
},
json={"inputs": {}},
)Where Keys Are Used
API keys authenticate access to:
- Workflow execution — run deployed workflows via the API
- Logs API — query workflow execution logs and metrics
- MCP servers — authenticate connections to deployed MCP servers
- SDKs — the Python and TypeScript SDKs use API keys for all operations
Security
- Keys use the
sk-sim-prefix and are encrypted at rest - Keys can be revoked at any time from the dashboard
- Use environment variables to store keys — never hardcode them in source code
- For browser-based applications, use a backend proxy to avoid exposing keys to the client
Never expose your API key in client-side code. Use a server-side proxy to make authenticated requests on behalf of your frontend.