API Keys
Create, scope, test, rotate, and use WyrdOS API keys safely
API keys authenticate requests to the WyrdOS HTTP API. Create and manage them under Settings > API Keys.
Scope
Each key is scoped to a workspace and can include explicit permissions:
| Permission | Use |
|---|---|
| Read | List and inspect resources. |
| Write | Create or update resources. |
| Delete | Delete resources. Use sparingly. |
Use A Key
Pass the key as a Bearer token:
Authorization: Bearer <API_KEY>Smoke test:
curl -H "Authorization: Bearer <API_KEY>" \
"https://<your-wyrdos-api-host>/api/v1/organisations"Expected result: 200 OK with a data wrapper listing visible organisations, or an empty list if the key has no visible organisations.
Operational Rules
- Store keys in environment variables or a secret manager.
- Do not commit keys to source control.
- Redact keys from logs and screenshots.
- Use separate keys for CI, local development, and agents.
- Rotate a key if it appears in chat, logs, screenshots, or an untrusted script.
- Prefer read-only keys for agents that only need context.
Error Meanings
| Status | Meaning |
|---|---|
| 401 | Missing or invalid key. |
| 403 | Key is valid but lacks permission or visibility. |
| 404 | Resource does not exist or is not visible to the key. |
See API Reference for response contracts and examples.
© 2026 WyrdOS
All rights reserved.
All rights reserved.