Authentication

Task routes accept an API key in the Authorization header. Key management routes use a separate credential so routine agent keys cannot mint or revoke other keys.

Task API

Send Authorization: Bearer <API_KEY> where the key matches the format issued by the console (including prefix segments). The server verifies against a salted hash— the full secret is only shown once at creation.

Management access

Listing, creating, and revoking keys via management endpoints expects a management token (placeholder until organization SSO and scoped roles ship). Do not embed management tokens in agent runtimes.

Operational guidance

Rotate keys when staff change roles or a secret may have leaked.
Keep agent keys scoped to environments (staging vs production) via separate deployments.
Never log full bearer tokens; log key ids only when diagnosing.

API keys guide →

← Documentation home