docsHTTP APIAuthentication

Authentication

The Ontyx HTTP API uses bearer tokens for authentication. Generate a token from the dashboard and send it in the Authorization header on every request.

Authorization: Bearer ontyx_live_ak_<keyId>_<secret>

API keys follow the format ontyx_<env>_ak_<keyId>_<secret>, where:

  • ontyx identifies the product namespace.
  • env is live or test. Today only live keys are issued; test is reserved for a future sandbox.
  • ak is the credential type. Future credential types (for example sk, pk) will use the same shape.
  • keyId is a 26-character public identifier you can safely share when reporting issues — it lets us find your key without you sending the secret.
  • secret is a 32-character random component (~190 bits of entropy). This is the part you must keep private.

The ontyx_live_ak_ prefix makes keys easy to identify in logs and secrets scanners.

Generate a key

  1. Sign in to the Ontyx dashboard.
  2. Go to API Keys and click New key.
  3. Give your key a descriptive name — for example, the service or agent that will use it.
  4. Click Create and copy the key immediately.

The plaintext is shown exactly once. The dashboard stores only an Argon2id hash of the secret segment — never the full token — so it cannot be recovered later. If you lose the key, revoke it and create a new one.

Show-once UX

After creation, a panel appears with the full token and a “Copy” button. You must confirm “I have saved this key” before navigating away. Once you dismiss the panel, the plaintext is gone from the UI permanently.

Revoke a key

To revoke a key, go to Dashboard → API Keys, find the key by its public identifier (ontyx_live_ak_<keyId>), and click Revoke. Revocation is immediate — the key is deleted from the store and any subsequent requests using it will return 401 INVALID_KEY.

Revocation is also available via the control plane API:

DELETE /api-keys/:id
Authorization: <session cookie — dashboard use only>

Control plane vs. product API

Ontyx has two distinct API surfaces:

Control plane — The endpoints listed in this documentation (subscription management, API key lifecycle, usage). These are intended for the dashboard and are authenticated with a session cookie issued at sign-in, not an API key. You would not normally call these from your application code.

Product API — The data-serving endpoints accessed by your agent or application code. These use the bearer token mechanism described on this page. [TODO: documented post-MCP-launch]

Do not use session cookies in automated code — use an API key. Do not use API keys to call dashboard/control-plane endpoints — they are not accepted there.

Available ToolsReference