Automation Engineer
Book A Free Call
← // field notes

How to verify and use your OpenAI API key — and the max_tokens trap that 400s you

7 min read API StudioOpenAI APILLM keys

OpenAI keys feel familiar — Authorization: Bearer, done — right up until your first call to a current model returns a 400 and an error about a parameter you’ve used a hundred times. The API moved on; a lot of tutorials didn’t. Here’s how to confirm a key works, send a real request, and sidestep the one mistake that catches almost everyone in 2026.

I made a free tool, API Studio, for exactly this: paste your key, click Verify, and know in two seconds whether it’s live — no install, no terminal, and no pasting your secret into something untrustworthy. The key stays in your browser; running a request relays it once through a stateless proxy that stores nothing.

Step one: list your models (free)

The cheapest way to check a key is to list the models it can access. It runs no model, so there’s no token cost:

curl https://api.openai.com/v1/models \
  -H "Authorization: Bearer $OPENAI_API_KEY"
  • 200 → the key is valid.
  • 401 invalid_api_key → wrong or revoked key.
  • A valid key with no credit still returns 200 here, but 429 insufficient_quota on any actual completion. So a clean /v1/models proves the key, not the billing.

In API Studio this is one click, and it doubles as a way to see exactly which models your account can call.

A note on key formats and billing

There are two key shapes: legacy user keys (sk-...) and the newer project-scoped keys (sk-proj-...). Project keys are bound to one project, which is usually what you want — and you only need the OpenAI-Organization / OpenAI-Project headers if you’re using a legacy key that spans multiple orgs. If verify passes but real calls 429, it’s almost always an unfunded project, not a bad key.

The trap: max_tokens vs max_completion_tokens

This is the big one. The classic Chat Completions call still works on non-reasoning models like gpt-4o-mini:

{
  "model": "gpt-4o-mini",
  "messages": [{ "role": "user", "content": "Say hello in 3 words." }],
  "max_tokens": 16,
  "temperature": 0.2
}

But the entire GPT-5 family and the o-series are reasoning models, and they changed the rules:

  • They require max_completion_tokens, not max_tokens. Send max_tokens and you get a 400.
  • They reject temperature, top_p, presence_penalty, frequency_penalty, and friends. Code that hardcodes temperature for every model will break on them.
  • Hidden reasoning tokens count against the cap. Set the cap too low and you get an empty content with finish_reason: "length" — and you still pay for the reasoning tokens. Give them a generous cap (a few hundred at least):
{
  "model": "gpt-5-mini",
  "messages": [{ "role": "user", "content": "Say hello in 3 words." }],
  "max_completion_tokens": 256,
  "reasoning_effort": "low"
}

API Studio ships both presets — Chat completion (gpt-4o-mini) and Chat on a reasoning model (gpt-5-mini) — side by side, precisely so the difference is obvious.

Chat Completions or the Responses API?

OpenAI now has a newer, unified primitive: the Responses API. The fields differ — input instead of messages, max_output_tokens instead of the token caps above, and reasoning as a nested object — and the output is response.output_text instead of choices[0].message.content:

{
  "model": "gpt-5.4-mini",
  "input": "Say hello in one short sentence.",
  "max_output_tokens": 256,
  "reasoning": { "effort": "low" },
  "store": false
}

For new builds, the Responses API is the one to learn; Chat Completions isn’t going anywhere, but don’t reuse one body shape against the other endpoint — they’re not drop-in. Both are presets in API Studio.

Which model IDs are current?

As of mid-2026, the frontier is the GPT-5 family (gpt-5.5 at the top, with gpt-5.4-mini/-nano for cheap and fast), plus o3 in the reasoning line. The old gpt-4o / gpt-4o-mini are legacy — still callable, handy for a cheap probe, but not where you’d start a new project. Don’t hardcode retired IDs like gpt-4-turbo or o1; list the models and use what your account actually shows.

Why not just use curl?

Because a browser can’t call api.openai.com directly (CORS blocks it — the same reason your key belongs on a server, never in front-end code). API Studio relays the request once through a stateless hop that keeps nothing, and if you’d rather trust no one, it gives you the exact cURL, Node, or Python for the request you just ran so you can run it yourself.

Verify your OpenAI key in API Studio →

A working key is step zero. The real work is the integration around it — retries, rate-limit handling, and the pipeline that moves data between your tools without you babysitting it. That’s what I do; if you want help, send me a brief.