Manage API Authentication
Copy page
Authentication methods for the Manage API
The Management API routes (agents-api routes under /manage) require a Bearer token in the Authorization header. Authentication is attempted in the following priority order:
To disable authentication for local development, set DISABLE_AUTH=true or ENVIRONMENT=test in your .env file.
1. Bypass Secret
When INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET is set, you can use this secret as the Bearer token for full access.
Useful for admin access and CI/CD pipelines.
2. Session Token
If you've authenticated via the device authorization flow (e.g., through the CLI or SDK), your session token can be used.
Session cookies are also supported via the cookie header or x-forwarded-cookie header (for MCP/SDK calls).
3. Database API Key
API keys stored in the database can be used for authentication. These keys are associated with a specific tenant.
4. Internal Service Token
For service-to-service communication within the Inkeep platform, internal service tokens (JWTs) are supported. These tokens can include tenant and project scope.
All requests must include a valid Authorization: Bearer <token> header. If no authentication method succeeds, the API returns a 401 Unauthorized error.