Authentication
Credential format
Tenant model
Key lifecycle

Authentication

This page summarizes how to authenticate. The full guide with troubleshooting and reason codes lives in the repository: authentication.md.

Credential format

Protected endpoints require:

Authorization: Bearer <key_id>:<secret>

The plaintext credential is key_id:secret as issued by POST /v1/api-keys — do not Base64-encode it.

Tenant model

customer_id is the server-validated authorization boundary (from the API key).
workspace_id and subject_id are optional customer-provided attribution dimensions on runs and usage queries — not authorization boundaries.

Key lifecycle

Create: POST /v1/api-keys
Revoke: DELETE /v1/api-keys/{key_id}
Rotate: POST /v1/api-keys/{key_id}/rotate

See the full authentication guide for tables, examples, and error semantics.

⌘I