Skip to main content

Authentication

All Bedrock API requests require authentication using an API key. API keys are scoped to a specific Product and grant access to manage agents within that product.

Getting an API Key

API keys are created through the Bedrock dashboard or API:
  1. Create or select a Product
  2. Navigate to the product’s settings
  3. Create a new API key with a descriptive name
Save your API key immediately after creation. For security, the full key is only displayed once and cannot be retrieved later.

Using Your API Key

Include your API key in the Authorization header with the Bearer prefix: 
Authorization: Bearer YOUR_API_KEY

Example Request

curl -X GET https://api.bedrock.orinlabs.org/api/cloud/agents/ \
  -H "Authorization: Bearer bk_abc123..."

API Key Scope

Each API key is scoped to a single product. With an API key you can:
ResourceAccess
AgentsFull CRUD - create, read, update, delete, run
TracesRead - view agent execution traces
MemoryRead/Write - log messages, get memory context
AdaptersRead - view available adapters and tools
Adapter ConfigsFull CRUD - configure adapters for your product

Creating API Keys via API

You can also create API keys programmatically: 
curl -X POST https://api.bedrock.orinlabs.org/api/products/api-keys/ \
  -H "Authorization: Bearer EXISTING_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Key",
    "product": "YOUR_PRODUCT_ID"
  }'
Response: 
{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "name": "Production Key",
  "key": "bk_live_xyz789...",
  "product": "your-product-id",
  "is_active": true,
  "created_at": "2024-01-15T10:30:00Z"
}

Managing API Keys

List Keys

curl -X GET "https://api.bedrock.orinlabs.org/api/products/api-keys/?product=YOUR_PRODUCT_ID" \
  -H "Authorization: Bearer YOUR_API_KEY"

Delete a Key

curl -X DELETE https://api.bedrock.orinlabs.org/api/products/api-keys/KEY_ID/ \
  -H "Authorization: Bearer YOUR_API_KEY"

Security Best Practices

Environment Variables

Store API keys in environment variables, never hardcode in source.

Server-Side Only

Never expose API keys in client-side code or public repositories.

Rotate Regularly

Create new keys and delete old ones periodically.

Descriptive Names

Name keys by environment/purpose for easy auditing.

Error Responses

StatusMeaning
401 UnauthorizedMissing or invalid API key
403 ForbiddenValid key but accessing another product’s resources
{
  "detail": "Authentication credentials were not provided."
}