Authentication

Two authentication methods

Method	Header	Used for
API Key	`X-API-Key: adj_agent_...`	SDK trace ingestion
JWT	`Authorization: Bearer <token>`	Dashboard / management endpoints

API key types

adj_agent_* — Agent-scoped keys. Used by SDKs to ingest traces. Each key is bound to a specific agent at creation time. A trace sent with this key is automatically tagged with that agent's ID — no need to pass agentId in every request.

adj_live_* — Organization-level keys. Created via Dashboard → Settings → API Keys. Used for management operations and webhook configuration.

Agent-scoped keys

Agent scoping limits the blast radius if a key is compromised. A stolen adj_agent_* key can only submit traces for the agent it was created for — it cannot read other agents' data, modify policies, or access the dashboard.

When you create an agent, Adjudon generates its API key and stores the agent scope snapshot. This snapshot is immutable — rotating the key generates a new key with the same scope.

Key rotation

Rotate a key via the API:

curl -X POST https://api.adjudon.com/api/v1/agents/AGENT_ID/regenerate-key \
  -H "Authorization: Bearer <jwt>"

The old key is immediately invalidated. Update your deployment before rotating in production.

Security best practices

Never commit API keys to git
Use environment variables: ADJUDON_API_KEY
Rotate keys regularly (quarterly minimum)
Use agent-scoped keys in all SDKs — they limit blast radius

import os
from adjudon import Adjudon

client = Adjudon(
    api_key=os.environ["ADJUDON_API_KEY"],
    agent_id="my-agent",
)

Rate limits

All endpoints are rate-limited. If you exceed the limit, you receive a 429 response with a Retry-After header indicating when to retry. See Error Codes for the full list of rate-limit codes.

Two authentication methods​

API key types​

Agent-scoped keys​

Key rotation​

Security best practices​