Skip to main content
The Gizmo API uses API key authentication. Every request must include a valid API key in the Authorization header. Requests made without a key, or with an invalid key, will be rejected with a 401 Unauthorized response.
Early Access: The Gizmo API is currently in alpha. API behaviour and key management processes may change. Contact viswajit@antimlabs.com with any access issues.

Getting an API Key

The Gizmo API is in early access. Keys are provisioned manually and granted on a request basis. To request access:
  1. Email viswajit@antimlabs.com with the subject line “Gizmo API Access Request”.
  2. Briefly describe your use case and the simulator(s) you’re targeting (Isaac Sim, MuJoCo, or both).
  3. You’ll receive your API key by reply email after approval — typically within a few business days.
Each approved user receives a single API key scoped to their account. There is no self-serve key generation during the alpha period.

Using Your API Key

Pass your API key as a Bearer token in the Authorization header of every request: 
Authorization: Bearer YOUR_API_KEY
Replace YOUR_API_KEY with the key provided to you.

Examples

curl --request GET \
  --url https://api.gizmo.antimlabs.com/v1/assets \
  --header "Authorization: Bearer YOUR_API_KEY" \
  --header "Content-Type: application/json"
In Python, store your key in an environment variable and read it at runtime with os.environ["GIZMO_API_KEY"] rather than hard-coding it in your script.

Keeping Your Key Secure

Your API key grants full access to your Gizmo account. Treat it like a password.
  • Never commit your key to source control. Use environment variables or a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault, .env files excluded via .gitignore).
  • Do not embed keys in client-side or mobile code. Any key shipped in a browser bundle or compiled app binary can be extracted and abused.
  • Rotate immediately if compromised. Email viswajit@antimlabs.com to revoke your current key and issue a replacement.
  • Do not share keys across team members or services — request separate keys for each principal.
Never expose your API key in front-end JavaScript, mobile apps, or any code that runs outside a trusted server environment. If a key is leaked, revoke it immediately by contacting the Gizmo team.

Authentication Errors

HTTP StatusWhen it occurs
401 UnauthorizedThe Authorization header is missing, malformed, or contains an invalid/expired key.
403 ForbiddenThe key is valid but does not have permission to perform the requested action (e.g. accessing a resource that belongs to another account).
Example 401 response: 
{
  "error": "authentication_error",
  "code": "INVALID_API_KEY",
  "message": "The provided API key is invalid or has been revoked. Please check your key and try again."
}
Example 403 response: 
{
  "error": "authorization_error",
  "code": "PERMISSION_DENIED",
  "message": "Your API key does not have permission to access this resource."
}
If you receive a 401 and believe your key is correct, verify that:
  • You are including the Bearer prefix (with a trailing space) before the key value.
  • Your key has not been rotated or revoked.
  • You are sending requests to the correct base URL.