Authentication

Ingest and policy routes authenticate with an organization ingest API key created in the console (API keys page). Keys are scoped to one organization.

Header format

text
Authorization: Bearer aegis_xxxxxxxxxxxxxxxx

Key properties

  • Prefix aegis_ — treat as a secret; store in a vault or env var.
  • Bound to the organization that created it — events must use the same organization_id.
  • Revocable from Console → API keys without rotating signing keys.
  • Plan limits apply (max keys, events/month) — see Errors & limits.

Signing keys (separate from API key)

Each agent has an Ed25519 signing key pair. The private key signs events client-side; the public key is registered server-side. Ingest rejects events with unknown key_id or invalid signatures.

Failure responses

  • 401 — missing/invalid bearer token
  • 403 — organization mismatch between API key and request body
  • 422 — unknown signing key or invalid signature