Skip to content

Authentication

All AgenticAudit API requests require authentication via an API key.

API key format

API keys follow the format:

aa_live_ + 32 hexadecimal characters

Example: aa_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

Using the API key

Pass the API key as a Bearer token in the Authorization header:

curl http://localhost:8000/v1/events \
  -H "Authorization: Bearer aa_live_xxxxx"

In the Python SDK:

from agentaudit import AgentAudit

audit = AgentAudit(api_key="aa_live_xxxxx")

Or via environment variable:

export AGENTAUDIT_API_KEY="aa_live_xxxxx"

# SDK reads from AGENTAUDIT_API_KEY automatically
audit = AgentAudit()

How keys are stored

API keys are hashed with SHA-256 before storage. The plaintext key is never persisted — it's only shown once when created.

Each API key is scoped to an organization. All events created with a key belong to that organization and are only accessible with keys from the same organization.

Default API key

When using Docker Compose, a default API key is generated on first startup. Retrieve it from the logs:

docker compose logs api | grep "Default API key"

Error responses

Status Code Meaning
401 Unauthorized Missing Authorization header or invalid key format
403 Forbidden Key is valid but has been revoked or deleted 
{
  "detail": "Invalid or missing API key"
}

Security recommendations

  • Rotate API keys periodically
  • Use different keys for different environments (dev, staging, production)
  • Store keys in environment variables or secret managers, not in code
  • In production, change the default key generated by Docker Compose