TokenMix Research Lab · 2026-06-04
Cursor Unauthorized API Key 2026: ERROR_BAD_USER_API_KEY Fix
Last Updated: 2026-06-04 Author: TokenMix Research Lab Data verified: 2026-06-04 - Cursor API Keys docs, Cursor CLI authentication docs, Cursor Background Agent API key docs, OpenAI API key docs, Google Gemini API key docs, OpenRouter API key docs, Anthropic error docs, and Cursor community reports
Cursor Unauthorized User API key usually means you fixed the wrong key. Check Cursor account auth first, then BYOK provider key, model access, base URL, and feature support.
The common error text is searchable because it is specific: ERROR_BAD_USER_API_KEY, Bad User API key, and Unauthorized User API key. Cursor's official docs separate two key systems. The Cursor CLI uses browser login or a Cursor user API key generated under Dashboard > Integrations > User API Keys (Cursor authentication). Cursor editor BYOK uses provider keys entered under Cursor Settings > Models, then verified; custom keys only work with standard chat models, while features that require specialized models keep using Cursor built-in models (Cursor API Keys). The fix depends on which key path failed. Replacing your OpenAI or Gemini key will not fix an expired Cursor account token. Regenerating a Cursor API key will not fix a provider 401.
Table of Contents
- Quick Verdict
- Error Text and Status Codes
- Cursor Key Systems
- Root Cause Matrix
- Step-by-Step Fix
- Provider Key Tests
- BYOK Limitations
- Security and Cost Notes
- Final Recommendation
- FAQ
- Sources
- Related Articles
Quick Verdict
| Claim | Status | Source |
|---|---|---|
| Cursor CLI supports browser login and API-key authentication | Confirmed | Cursor authentication |
| Cursor CLI user API keys are generated under Dashboard > Integrations > User API Keys | Confirmed | Cursor authentication |
| Cursor BYOK keys are entered under Cursor Settings > Models and verified | Confirmed | Cursor API Keys |
| Cursor custom API keys only work with standard chat models | Confirmed | Cursor API Keys |
| Tab Completion keeps using Cursor built-in models even when BYOK is configured | Confirmed | Cursor API Keys |
| Cursor supports OpenAI, Anthropic, Google, Azure OpenAI, and AWS Bedrock custom keys | Confirmed | Cursor API Keys |
| OpenRouter is officially listed as a first-class Cursor BYOK provider | False | Cursor's current provider list does not include OpenRouter |
ERROR_BAD_USER_API_KEY always means your provider key is invalid |
False | It can be Cursor account auth, BYOK key, model access, base URL, or feature mismatch |
| Gemini API keys are created and managed in Google AI Studio | Confirmed | Google Gemini API key docs |
| OpenAI API keys are created and managed on the OpenAI API key page | Confirmed | OpenAI Help |
Error Text and Status Codes
| Surface text | Likely layer | Status code | Best first action |
|---|---|---|---|
ERROR_BAD_USER_API_KEY |
Cursor account or Cursor key path | Cursor internal | Run Cursor login/status flow |
Bad User API key |
Cursor account key | Cursor internal | Regenerate Cursor user API key |
Unauthorized User API key |
Cursor user API key or mismatched account | Cursor internal | Log out, log in, regenerate user key |
Invalid API key provided |
Provider key | 401 | Test provider key outside Cursor |
authentication_error |
Provider API key | 401 | Rotate provider key |
permission_error |
Provider model/project access | 403 | Check model/org/project permissions |
rate_limit_error |
Provider quota/rate limit | 429 | Do not rotate key; fix quota |
Provider returned 400 |
Provider request/body/model mismatch | 400 | Check model name and base URL |
Cursor Pro Required |
Feature billing/support | Cursor internal | Use supported feature or plan |
Not authenticated |
Cursor CLI auth | Cursor internal | Run cursor-agent login or set CURSOR_API_KEY |
The wrong fix is expensive: rotating provider keys does nothing when Cursor account auth is stale, and re-login does nothing when the provider returns 401.
Cursor Key Systems
| Key type | Where it lives | What it authenticates | Confirmed behavior |
|---|---|---|---|
| Cursor browser session | Cursor app / CLI credential store | Your Cursor account | Browser login is recommended for CLI |
| Cursor user API key | Dashboard > Integrations > User API Keys | Cursor CLI automation / CI | Can be supplied via CURSOR_API_KEY |
| OpenAI key | OpenAI API key page | OpenAI standard non-reasoning chat models in Cursor BYOK | Cursor supports OpenAI standard chat models |
| Anthropic key | Anthropic Console | Claude models available through Anthropic API | Cursor supports Anthropic BYOK |
| Google key | Google AI Studio API Keys | Gemini models through Google AI API | Cursor supports Google BYOK |
| Azure OpenAI | Azure deployment config | Azure OpenAI models | Cursor supports Azure OpenAI |
| AWS Bedrock | AWS access keys, secret keys, or IAM role | Bedrock models in your configuration | Cursor supports Bedrock |
| OpenRouter key | OpenRouter dashboard | OpenRouter router, not listed by Cursor as first-class provider | Likely fragile unless routed through supported OpenAI-compatible setup |
Cursor's API-key docs also state that custom API keys only work with standard chat models. This matters because many users expect BYOK to power every Cursor feature. That expectation is False.
Root Cause Matrix
| Root cause | Symptom | Fix | Status |
|---|---|---|---|
| Cursor account token expired | Unauthorized User API key, account mismatch, CLI not authenticated |
cursor-agent logout, then cursor-agent login |
Confirmed |
| Wrong Cursor user API key | CLI automation fails, dashboard key not recognized | Regenerate Dashboard > Integrations > User API Key | Confirmed |
| Provider key pasted into Cursor user API key slot | Cursor CLI auth fails | Use provider key only in Settings > Models | Likely |
| Cursor user key pasted into provider slot | Provider verification fails | Use OpenAI/Anthropic/Gemini key in provider field | Likely |
| Provider key revoked | Provider returns 401 | Rotate key in provider console | Confirmed |
| Wrong model for provider | Verification fails or 400 provider error | Select model supported by provider and Cursor | Confirmed |
| OpenRouter key used as direct OpenAI key | ERROR_BAD_USER_API_KEY or provider mismatch |
Use supported route; test OpenRouter separately | Likely |
| Gemini key tied to wrong project | Works elsewhere but not in selected model/project | Create/check Google AI Studio key | Confirmed |
| Feature not supported by BYOK | Tab/agent/edit feature still fails | Use Cursor built-in model or supported chat model | Confirmed |
| Corporate proxy/SSL | Auth, verify, or endpoint errors | Test outside proxy; CLI supports --insecure for dev |
Confirmed |
Step-by-Step Fix
| Step | Command or action | Pass condition |
|---|---|---|
| 1 | Log out/in of Cursor account | Cursor app shows correct account |
| 2 | For CLI, run cursor-agent status |
It reports authenticated account and endpoint |
| 3 | If CLI fails, run cursor-agent login |
Browser flow completes |
| 4 | If automation fails, regenerate Cursor user API key | New key works with CURSOR_API_KEY |
| 5 | In editor BYOK, go Settings > Models | Provider field is the correct provider |
| 6 | Paste provider key without whitespace | Verify succeeds |
| 7 | Test provider key outside Cursor | Provider returns a small completion |
| 8 | Check model support | Cursor model picker shows compatible model |
| 9 | Check quota/rate limit | 401/403/429 are handled differently |
| 10 | Restart Cursor | Cached auth state clears |
# Cursor CLI account path
cursor-agent status
cursor-agent logout
cursor-agent login
# Cursor user API key path for automation
export CURSOR_API_KEY="your_cursor_user_api_key"
cursor-agent status
cursor-agent "explain the auth failure in this repo"
Provider Key Tests
Test the provider key outside Cursor before blaming Cursor.
# OpenAI key smoke test
curl https://api.openai.com/v1/models \
-H "Authorization: Bearer $OPENAI_API_KEY"
# Anthropic key smoke test
curl https://api.anthropic.com/v1/messages \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "anthropic-version: 2023-06-01" \
-H "content-type: application/json" \
-d '{"model":"claude-sonnet-4-5","max_tokens":32,"messages":[{"role":"user","content":"hello"}]}'
# Gemini key smoke test
curl "https://generativelanguage.googleapis.com/v1beta/models?key=$GEMINI_API_KEY"
def classify_cursor_api_key_error(message, provider_status=None):
text = message.lower()
if "error_bad_user_api_key" in text or "unauthorized user api key" in text:
return "Check Cursor account auth and Cursor user API key first."
if provider_status == 401 or "invalid api key" in text:
return "Provider key failed. Test OpenAI/Anthropic/Gemini outside Cursor."
if provider_status == 403:
return "Provider permission/model/project access issue."
if provider_status == 429:
return "Rate limit or quota. Do not rotate the key first."
if "pro required" in text or "custom models" in text:
return "Feature is not available through BYOK."
return "Capture full error JSON, status code, provider, model, and base URL."
BYOK Limitations
| Cursor feature | Works with custom provider key? | Source-based read |
|---|---|---|
| Standard chat model requests | Yes | Confirmed |
| OpenAI standard non-reasoning chat models | Yes | Confirmed |
| Anthropic Claude models available through Anthropic API | Yes | Confirmed |
| Google Gemini models through Google AI API | Yes | Confirmed |
| Azure OpenAI deployed models | Yes | Confirmed |
| AWS Bedrock configured models | Yes | Confirmed |
| Tab Completion | No, uses Cursor built-in models | Confirmed |
| Specialized Cursor model features | Not fully | Confirmed |
| Every Agent/Edit workflow | Not guaranteed | Likely |
| OpenRouter as official first-class provider | No public Cursor provider-list confirmation | False / Likely unsupported |
This is where many forum fixes go wrong. A BYOK key is not a universal replacement for Cursor's model stack. If you need provider routing and fallback outside Cursor's supported list, use a gateway layer and keep Cursor's limitations explicit.
Security and Cost Notes
| Risk | Why it matters | Fix |
|---|---|---|
| Pasting provider key into wrong field | Creates misleading auth errors | Label keys by provider and use a password manager |
| Exposed Gemini/OpenAI key | Can create unexpected bills | Rotate immediately and set budget caps |
| Using BYOK for unsupported feature | Error looks like auth but is product support | Read Cursor feature support |
| Provider key sent through backend | Cursor docs say requests are routed through backend for final prompt assembly | Do not send sensitive keys from untrusted machines |
| OpenRouter key treated as OpenAI key | Base URL/provider mismatch | Test with OpenRouter docs separately |
| Rate limit mistaken for auth | Rotating keys wastes time | Classify 401/403/429 separately |
| Corporate proxy strips headers | Provider sees missing/invalid auth | Test on clean network |
Cost calculation 1: a false 429/auth diagnosis can double retries. If a failing tool retries 5 times per prompt and 20 prompts are submitted, that is 100 failed calls before a human sees the real provider status. Log status code before retry.
Cost calculation 2: if the real issue is rate_limit_error, rotating 3 provider keys does nothing. One retry-after-aware queue fixes the class of problem faster than key churn. See Claude 429 Rate Limits for the rate-limit path.
Cost calculation 3: if you use Cursor BYOK for chat but Tab Completion still uses Cursor built-in models, your bill can split across provider usage and Cursor plan usage. That is expected from Cursor's feature split, not a hidden provider bug.
For teams that need model routing instead of single-provider BYOK, compare AI API Gateway, OpenRouter alternatives, and TokenMix vs OpenRouter vs Portkey vs LiteLLM.
Final Recommendation
Fix Cursor Unauthorized User API key in this order: Cursor account login, Cursor user API key, BYOK provider key, model/base URL, feature support. Do not rotate every key blindly. The fastest fix is matching the error layer to the right key system.
FAQ
What does Cursor Unauthorized User API key mean?
It usually means Cursor rejected the user-key/auth path, not necessarily your OpenAI or Anthropic provider key. Check Cursor login and Cursor user API key before rotating provider keys.
What is ERROR_BAD_USER_API_KEY in Cursor?
ERROR_BAD_USER_API_KEY is a Cursor-side bad user key/auth signal reported by users and surfaced in Cursor error payloads. Treat it as Cursor account/user-key first, provider key second.
How do I fix Cursor CLI not authenticated?
Run cursor-agent status, then cursor-agent login. If you are using automation, generate a Cursor user API key from Dashboard > Integrations > User API Keys and set CURSOR_API_KEY.
Why does my OpenAI API key fail in Cursor?
It may be pasted into the wrong field, revoked, missing model access, blocked by organization/project permissions, or used for a model Cursor does not support. Test it with OpenAI directly before blaming Cursor.
Can Cursor use my Anthropic API key?
Yes, Cursor documents Anthropic BYOK support for Claude models available through the Anthropic API. But custom API keys only work with standard chat models, not every specialized Cursor feature.
Can Cursor use my Gemini API key?
Yes, Cursor documents Google BYOK support for Gemini models through the Google AI API. Create and manage Gemini API keys in Google AI Studio.
Does Cursor support OpenRouter API keys?
Cursor's official provider list does not name OpenRouter as a first-class BYOK provider. OpenRouter may work in some OpenAI-compatible setups, but treat that as Likely/unsupported unless Cursor documents it.
Why does Tab Completion still use Cursor models?
Cursor says custom API keys only work with standard chat models, and features that require specialized models such as Tab Completion continue using Cursor built-in models.
Sources
- Cursor API Keys - official BYOK setup and provider support
- Cursor CLI Authentication - official browser login and Cursor user API key setup
- Cursor Background Agent API Key Info - official Cursor API key metadata endpoint
- OpenAI: Where do I find my API key? - official OpenAI key management
- Google Gemini API Keys - official Gemini key creation and environment variable behavior
- OpenRouter API Authentication - official OpenRouter key and base URL docs
- Anthropic Errors - official 401, 403, 429 and error shape reference
- Anthropic Rate Limits - official 429 and
retry-afterbehavior - Cursor Community: Invalid API key provided - observed provider 401 shape
- Reddit: ERROR_BAD_USER_API_KEY report - user-reported raw error payload, treated as Speculation
Related Articles
- Claude 429 Rate Limits 2026: RPM, TPM, Backoff, Jitter Fix
- Anthropic OpenAI-Compatible API 2026: Claude SDK Setup Guide
- OpenAI API Key Free 2026: 7 Ways to Get 4,900 Calls/Day
- AI API Gateway 2026: Routing, Fallbacks, Observability, and Cost Control
- 8 OpenRouter Alternatives 2026: Free or Below-Market Pricing