Skip to main content
Every request to the Bloom API needs either a Bloom API key or a Bloom OAuth access token. API keys are simplest for server-side automations. OAuth is the right fit for app integrations where a user signs in with Bloom and grants access.

API keys

Generate an API key from your account settings and treat it as a secret — rotate any that may have been exposed. You can send the key in either of two headers; both accept the same key. If both headers are present, x-api-key wins.

x-api-key header

x-api-key: bloom_sk_...

Authorization: Bearer header

Authorization: Bearer bloom_sk_...
Use whichever fits your client. x-api-key is the most direct; Authorization: Bearer is useful when you’re working with HTTP libraries that expect that shape (most SDKs, many low-code tools).

OAuth access tokens

The REST API also accepts Bloom OAuth access tokens: 
Authorization: Bearer <bloom_oauth_access_token>
OAuth tokens resolve to the same user identity as an API key. They have the same access to brands, images, credits, plan gates, and workspaces. Bloom’s OAuth endpoints are: 
Issuer: https://www.trybloom.ai/api/auth
Dynamic client registration: https://www.trybloom.ai/api/auth/oauth2/register
Authorize: https://www.trybloom.ai/api/auth/oauth2/authorize
Token: https://www.trybloom.ai/api/auth/oauth2/token
API base: https://www.trybloom.ai/api/v1
Public clients should use Authorization Code with PKCE S256 and dynamic client registration: 
{
  "token_endpoint_auth_method": "none",
  "type": "user-agent-based",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "redirect_uris": ["https://your-app.example/oauth/callback"]
}
For app integrations with public clients, do not use a client_secret. Register the exact callback URL for the current deploy and send that exact redirect_uri in the authorize request; wildcard redirect URIs are not supported.