API Keys
API keys let scripts, CI pipelines, and external tools authenticate with Auxot without a browser session. Each key is tied to the user who created it and carries that user’s permissions.
Keys begin with user. and are shown once at creation. Store the key immediately — Auxot only stores a hash and cannot display it again.
Creating a Key
Go to Settings → Profile → API Keys → Add Key. Give it a name, then copy the key shown.
Or ask the admin agent:
Create an API key for me called "CI Pipeline"
Using a Key
Pass the key in every request using the Authorization header:
curl http://localhost:8080/api/agents \
-H "Authorization: Bearer user.abc123..."
The x-api-key header is also accepted — useful for tools that follow the Anthropic SDK convention:
curl http://localhost:8080/api/anthropic/v1/messages \
-H "x-api-key: user.abc123..." \
-H "anthropic-version: 2023-06-01" \
-H "Content-Type: application/json" \
-d '{"model": "auto", "max_tokens": 1024, "messages": [{"role": "user", "content": "Hello"}]}'
Revoking a Key
Go to Settings → Profile → API Keys, find the key, and delete it. The key stops working immediately.
Team API Keys
Business and Enterprise: Teams can have their own API keys, separate from personal user keys. Team keys are used for intake webhooks and service-to-service calls where requests should be scoped to a team.
Team keys are created under Settings → Teams, open a team, then go to Keys. They begin with team. and are shown once at creation.
Intake Webhook Auth
Intake webhook endpoints accept either a user API key or a team API key in the Authorization: Bearer header. See Integrations → Intake Webhooks for full webhook details.
Security Notes
- Keys are stored as Argon2id hashes. The plaintext is never logged or retrievable.
- Treat API keys like passwords. Do not commit them to version control or paste them into chat.
- Rotate a key at any time by deleting the old one and creating a new one.
- For automated deployments, inject keys via environment variables or your secrets manager.