Browse sections

API Keys

Workspace API keys authenticate public /gw/… routes: mint keys in the console, rotate them safely, import the CLI key into the VS Code extension, and use session or token auth for the management APIs.

API keys gate access to gateway routes that are configured for API-key authentication. Create and manage them from the API Keys panel in the sidebar.

Usage

curl
curl -H "X-Api-Key: your-key" \
  https://your-host/api/gw/your-tenant/your-path

You can rotate or deactivate a key at any time. One key can be designated as the CLI key for use with the VS Code extension.

The management REST API under /api/… (invoke, deploy, code upload, and so on) authenticates with your login session, an Authorization: Bearer token, or an X-Api-Key header. Those credentials are opaque session tokens or Personal Access Tokens (inq_pat_…, stored only as a hash)—not JWTs. Public /gw/… routes are separate: they check X-Api-Key against the workspace keys you attach to a route.

API key auth for serverless functions — gateway-level enforcement overview →