Authentication¶
Vargate supports three authentication methods. All API requests (except public endpoints) require one of these.
API Key¶
The primary method for programmatic access. Pass your API key in the X-API-Key header:
Obtaining Your Key¶
Your API key is generated when you sign up. You can view it in the dashboard under Settings, or retrieve it from the signup response.
Rotating Your Key¶
Rotate your API key periodically for security:
The response contains your new key. The old key is immediately invalidated.
Rotation is immediate
Update all clients before rotating. The old key stops working instantly.
JWT Session¶
Used by the web dashboard. Obtain a session token by logging in:
curl -X POST https://vargate.ai/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]", "password": "your-password"}'
Use the token in the Authorization header:
Sessions expire after the configured TTL. The dashboard handles token refresh automatically.
GitHub OAuth¶
Alternative signup and login via GitHub:
- Navigate to
https://vargate.ai/api/auth/github - Authorize the Vargate application
- You're redirected back with a session token
Security Best Practices¶
Never commit API keys
Store keys in environment variables or a secrets manager. Never hardcode them in source code.
- Use environment variables:
export VARGATE_API_KEY=vg-abc123... - Rotate regularly: Use
POST /api-keys/rotateon a schedule - Scope access: Each tenant has its own key with isolated data
- Monitor access: Check
GET /credentials/access-logfor credential usage - HTTPS only: All API requests must use HTTPS in production