TroubleshootingBeginner

How to Fix an OpenAI 401 'Invalid API Key' Error

Track down why the OpenAI API rejects your key and get a valid request flowing again.

7 minBeginner

A 401 from the OpenAI API almost always means the key your code sent does not match a live key on your account. The fix is rarely the key itself. It is usually a stray space, the wrong environment variable, a project mismatch, or a key that was rotated out. This guide walks through the checks in the order that catches the most cases first.

  • An OpenAI account with billing or free credits available
  • Access to the platform.openai.com dashboard
  • A terminal with curl installed

Step 1: Read the exact error body

The status code alone is not enough. Print the JSON body the API returned. The message field tells you whether the key is missing, malformed, or simply unknown to the server.

zsh - debug
$curl https://api.openai.com/v1/models -H "Authorization: Bearer $OPENAI_API_KEY"
{ "error": { "message": "Incorrect API key provided: sk-abc***. You can find your API key at https://platform.openai.com/account/api-keys.", "type": "invalid_request_error", "code": "invalid_api_key" } }
$

Step 2: Confirm the variable is actually set

If the message shows a blank or truncated key, your environment variable never reached the process. Echo it back, then check for hidden whitespace or quotes that crept in from a copied line.

zsh - debug
$echo "[$OPENAI_API_KEY]"
[sk-proj-9Xf2...long-string-here]
If you see [] or a trailing space inside the brackets, that is your bug.
$
platform.openai.com - API keys
API keys
Name Key Last used
prod-server sk-proj-...a91 3 minutes ago
old-laptop sk-proj-...44c revoked
[ + Create new secret key ]
The dashboard only shows the last few characters. Match those against the key your app sends.

Step 3: Match the key to the right project

Newer keys start with sk-proj- and are scoped to a single project. If the model you call lives in a different project, or your org header points elsewhere, you get a 401 even with a real key. Set the project explicitly so there is no ambiguity.

.env
OPENAI_API_KEY=sk-proj-your-real-key
OPENAI_PROJECT_ID=proj_abc123
OPENAI_ORG_ID=org_xyz789

Step 4: Rotate the key if it was ever exposed

If the key was committed to git, pasted in a chat, or printed in logs, OpenAI may auto-revoke it. Create a fresh secret key, paste it into your secret store, and delete the old one. Never paste a key back into the dashboard search box to test it.

Do not trim with a text editor
Pasting a key into a rich text field can insert smart quotes or a zero-width character. Always paste into a plain terminal or a .env file opened in a code editor.

Result

After setting a clean key in the right project, the same curl call returns a 200 with a list of models. In one common case a developer had OPENAI_API_KEY set in their shell but their app loaded a stale .env file, so the process saw an old revoked key. Removing the .env line and relying on the shell variable fixed it in under a minute.

Watch related tutorials

OpenAI Codex Tutorial #1 - Introduction & Setup12:38
OpenAI Codex Tutorial #1 - Introduction & Setup
Net Ninja
OpenAI Codex Tutorial #4 - Using the Codex CLI14:09
OpenAI Codex Tutorial #4 - Using the Codex CLI
Net Ninja
Using OpenAI Codex CLI with GPT-5-Codex17:53
Using OpenAI Codex CLI with GPT-5-Codex
Prompt Engineering
OpenAI Codex Tutorial 2026 || Getting Started with Codex for AI Coding Beginners15:00
OpenAI Codex Tutorial 2026 || Getting Started with Codex for AI Coding Beginners
YouTube
OpenAI Codex CLI12:00
OpenAI Codex CLI
YouTube
Claude Code - Full Tutorial for Beginners1:42:18
Claude Code - Full Tutorial for Beginners
freeCodeCamp.org
Tags
#openai#api keys#401#authentication
All how-to guides