Authentication

Overview

The Integration API uses API keys for authentication. Each key is scoped to a single tenant and evaluated per-request against that tenant's active entitlements. API keys are managed through the Ananke Labs Console.

There is currently one authentication method: the x-api-key header. Future versions may add OAuth 2.0 client credentials for machine-to-machine flows.

API keys

API keys are created in the Console under Settings → API Keys. When you create a key, the raw secret is displayed once. Ananke Labs stores only a hash of the key — the original value cannot be retrieved later.

Each key has:

• Prefix — a visible identifier (e.g., ak_live_) for log correlation
• Secret — the full key value, shown only at creation time
• Tenant scope — the key can only access resources belonging to its tenant
• Entitlement checks — each request is validated against the tenant's active plan and quotas

Request headers

Include the API key in the x-api-key header on every request:

curl -X GET https://api.anankelabs.net/v1/trust/templates \
  -H "x-api-key: ak_live_your_key_here" \
  -H "Content-Type: application/json"

The Content-Type: application/json header is required for POST/PUT requests with a JSON body. GET requests do not need it.

SDK authentication

The TypeScript SDK handles the header automatically. Pass the key at client instantiation:

import { AnankeClient } from "@ananke/sdk";

const client = new AnankeClient({
  apiKey: process.env.ANANKE_API_KEY!,
});

// All requests include x-api-key automatically
const templates = await client.trust.templates.list();

Common errors

Security notes

• Never log or commit your API key. Load it from environment variables or a secret manager.
• Rotate keys regularly. You can have multiple active keys per tenant to enable zero-downtime rotation.
• Do not expose keys in client-side code. API keys are server-side credentials. For browser-based verification, use the public verification endpoints which do not require authentication.