Skip to main content

API keys

Create and manage API keys for authenticating with the Agentbot API. All endpoints require session authentication.

List keys

Response

Create key

Request body

Response (201 Created)

The raw API key is only returned once at creation time. Store it securely — it cannot be retrieved again. The key is stored as a bcrypt hash in the database.

Errors

Get key

Requires ownership of the key.

Response

Errors

Delete key

Requires ownership of the key.

Response

Errors

Validate key

The POST /api/keys/validate endpoint is planned for a future release. API key validation is currently available through the backend endpoint POST /api/validate-key, which uses SHA-256 hash comparison.
The following specification describes the intended web-side validation endpoint:
Verifies an API key against its bcrypt hash in the database and returns the associated user information. No session authentication is required.

Request body

Response

How it works

  1. The key prefix (first 10 characters) is used for a fast database lookup.
  2. Candidate keys matching the prefix are compared using bcrypt.compare against the stored hash.
  3. On match, the user’s profile and subscription information are returned.

Errors