Authentication

All API requests require authentication using Service Keys

Service Keys

Service Keys are API keys that allow programmatic access to your Studio workspace

Service Keys provide secure authentication for your applications to interact with the Skej Studio API. Each key is scoped to a specific tenant and can have granular permissions.

Important: Keep your Service Keys secure. Never expose them in client-side code or commit them to version control.

Creating a Service Key

  1. Log in to your Skej Studio dashboard
  2. Navigate to Settings → API Keys
  3. Click "Create Service Key"
  4. Give your key a descriptive name
  5. Select the appropriate scopes (permissions)
  6. Set an expiration date (optional but recommended)
  7. Click "Generate Key" and save it securely
Warning: The full key is only shown once during creation. Store it securely—you won't be able to see it again.

Authentication Header

Include your Service Key in the Authorization header of every request

Header Format:

Authorization: Bearer sk_live_your_service_key_here

Example Request (cURL):

curl -X GET \
  'https://api.staging.agnt.ai/tenants/tenant_123/prompts' \
  -H 'Authorization: Bearer sk_live_your_service_key_here' \
  -H 'Content-Type: application/json'

Scopes & Permissions

Control what actions your Service Key can perform

prompts:read
Read access to prompts and their versions
prompts:write
Create, update, and publish prompts
blocks:read
Read access to reusable blocks
blocks:write
Create and update reusable blocks
traces:read
Read access to execution traces and analytics

Authentication Response Codes

200 OK

Request successful, authentication valid

401 Unauthorized

Missing, invalid, or expired Service Key

403 Forbidden

Service Key doesn't have required scopes for this operation

Security Best Practices

  • Use environment variables to store Service Keys
  • Set expiration dates on Service Keys when possible
  • Use the minimum required scopes for each key
  • Rotate keys regularly and revoke unused keys
  • Never commit keys to version control
  • Never expose keys in client-side JavaScript