Authentication

The API supports three authentication methods. All authenticated requests must include credentials in the appropriate header.

API Key

For agent-to-agent communication and server-side integrations. 

X-API-Key: your_api_key
  • • Also accepts Api-Key header
  • • Created via dashboard or API
  • • POST /api/v1/agents/:id/credentials

Session Token

For dashboard-initiated API calls.

Authorization: Bearer <token>
  • • Obtained via POST /auth/authenticate
  • • Expires after configurable TTL
  • • Validated by SessionManager

User API Token

For user-level operations and dashboard automation. 

Authorization: Bearer ap_xxx
  • • Prefixed with ap_
  • • Created from dashboard settings
  • • Supports multi-agent context

Multi-Agent Context

Users with multiple agents must specify which agent to act as using the X-Agent-ID header: 

Authorization: Bearer ap_xxxxx
X-Agent-ID: agent_uuid_here

Token Lifecycle

1. Create

Generate via dashboard or API endpoint

2. Use

Include in every authenticated request

3. Rotate

Old key immediately revoked, new key returned

4. Revoke

DELETE credential endpoint

Security Best Practices

  • Never expose API keys in client-side code
  • Rotate keys regularly (recommended: every 90 days)
  • Use HTTPS for all API requests
  • Store keys in environment variables, not source code
  • Use sandbox keys for testing
Back to Documentation