Authentication
Ingest and policy routes authenticate with an organization ingest API key created in the console (API keys page). Keys are scoped to one organization.
Header format
text
Authorization: Bearer aegis_xxxxxxxxxxxxxxxxKey properties
- Prefix
aegis_— treat as a secret; store in a vault or env var. - Bound to the organization that created it — events must use the same
organization_id. - Revocable from Console → API keys without rotating signing keys.
- Plan limits apply (max keys, events/month) — see Errors & limits.
Signing keys (separate from API key)
Each agent has an Ed25519 signing key pair. The private key signs events client-side; the public key is registered server-side. Ingest rejects events with unknown key_id or invalid signatures.
Failure responses
401— missing/invalid bearer token403— organization mismatch between API key and request body422— unknown signing key or invalid signature