Authentication
Authentication
The public API uses bearer API keys. It does not use the WorkOS browser session that powers the dashboard.
Where keys come from
Create keys in the dashboard at /dashboard/api-keys. The key is bound to the active workspace shown in the dashboard header.
That split is intentional:
- WorkOS signs a human into the dashboard or CLI
- an API key lets your backend call the public API for one workspace
The public API session path is hosted-model-only in the MVP. If the dashboard shows the public API as unavailable, authenticated requests to create sessions or runs will fail with HOSTED_MODEL_UNAVAILABLE.
Header
Authorization: Bearer ap_live_<key_id>.<secret>Keys are:
- created from the dashboard
- scoped to one workspace
- revealed once
- revocable without affecting the dashboard session
Store the key on your server:
AP_API_KEY=ap_live_<key_id>.<secret>Then send it on every request:
Authorization: Bearer ${AP_API_KEY}Use API keys from trusted server environments only. If your product needs browser streaming, have your backend call AP and proxy the stream to the browser.
Scope model
The MVP ships these scopes:
sessions.readsessions.writeruns.readruns.writeactions.readactions.execute
If a key is missing a required scope, the API returns 403 with code: "MISSING_SCOPE".
If you need to replace a key today, create a new one and revoke the old one. The dashboard does not offer in-place rotation yet.