The Worlds API utilizes Bearer Token authentication. You must include your API
key in the Authorization header of every request.
Generating keys
Your access strategy depends on your deployment environment.
- Cloud: Generate and manage scoped API keys in the
dashboard.
- Self-hosted: Use the
WORLDS_API_KEY configured in your server’s
environment. This acts as the root admin key for your instance.
Unprotected mode
To facilitate rapid prototyping in local environments, the WORLDS_API_KEY is
optional.
If you do not provide a WORLDS_API_KEY, the server runs in Unprotected
Mode. This disables all security and allows anyone to access your data. Use
it only for local development.
Technical usage
Authorization: Bearer <YOUR_API_KEY>
SDK initialization
The SDK handles authentication automatically when you provide your key during
client initialization.
import { WorldsSdk } from "@wazoo/worlds-sdk";
const sdk = new WorldsSdk({
apiKey: "YOUR_API_KEY",
baseUrl: "http://localhost:8000",
});
Admin access
Certain endpoints—such as listing all worlds or managing organization-wide
settings—require an admin-level key. In self-hosted scenarios, this corresponds
to the WORLDS_API_KEY. 
