Authentication
AgenticWork supports multiple authentication methods for flexibility across different use cases.
Authentication Methods
1. API Key (Recommended for Server-Side)
Include your API key in the X-API-Key header:
curl -H "X-API-Key: aw_live_xxxxxxxxxxxx" \
https://chat.agenticwork.io/api/chat/sessionsAPI Key Prefixes:
aw_live_
Production
aw_test_
Testing/Sandbox
2. Bearer Token (OAuth/JWT)
For user-authenticated requests:
curl -H "Authorization: Bearer eyJhbG..." \
https://chat.agenticwork.io/api/chat/sessions3. Azure AD SSO
For enterprise SSO integration:
User is redirected to Azure AD login
Azure AD returns authorization code
AgenticWork exchanges code for tokens
Session is established with user identity
API Key Management
Creating API Keys
Via Admin Portal:
Navigate to Settings > API Keys
Click "Create New Key"
Set permissions and rate limits
Copy the key (shown only once)
Via API:
Rate Limit Tiers
free
10
100
pro
100
10,000
enterprise
1000
Unlimited
custom
Configurable
Configurable
Revoking Keys
Permission Scopes
API keys can be scoped to specific permissions:
chat
Chat sessions and messages
mcp
MCP tool execution
admin
Admin portal functions
flowise
Flowise workflows
code
AgentiCode execution
Error Responses
401 Unauthorized
403 Forbidden
429 Too Many Requests
Security Best Practices
Never expose keys in client-side code - Use server-side proxies
Rotate keys regularly - Create new keys and deprecate old ones
Use minimal permissions - Only grant necessary scopes
Monitor usage - Watch for unusual patterns in the Admin Portal
Use environment variables - Never commit keys to version control
Last updated