Amarsia
Concepts

API key

Secure every API call to deployed assistants using your Amarsia API key.

Overview

An API key is the default credential Amarsia uses to authenticate calls to a deployed assistant. Your application sends it in the x-api-key header on every request.

Keys are required whenever an assistant has authentication turned on. For public, authless deployments, see Security for how requests are authorized by allowlist instead.

Where to create keys

From there you can create, copy, and revoke keys.

Request header

x-api-key: YOUR_API_KEY

If the assistant has authentication turned off, you can omit the header and rely on the allowlist defined in the assistant's Security settings.

Key management basics

  • Keep keys on your backend or secure server environment.
  • Never hardcode keys in public frontend code.
  • Revoke and rotate keys if exposure is suspected.
  • Use separate keys by environment when possible.

Treat API keys like production credentials. If a key leaks, rotate it immediately.

Usage

Monitor every run with detailed logs, token metrics, and action traces.

Security

Control who can call an assistant with API-key authentication or an origin allowlist.

On this page

OverviewWhere to create keysRequest headerKey management basicsRelated