Run API Authentication
Copy page
Authentication methods for the Run API
The Run API (agents-api routes under /run) authenticates requests using a Bearer token in the Authorization header. Authentication is attempted in the following priority order:
1. JWT Temp Token
Short-lived JWT tokens generated from user session cookies (e.g., via the SDK or device authorization flow). These tokens are signed with INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY.
The token payload includes tenantId, projectId, and agentId.
2. Bypass Secret
When INKEEP_AGENTS_RUN_API_BYPASS_SECRET is set, you can use this secret as the Bearer token. Requires scope headers:
Useful for admin access, CI/CD pipelines, and internal services.
3. Database API Key
API keys created from the Manage UI and stored in the database. The key encodes scope (tenant, project, agent), so no additional headers are required.
4. Team Agent Token
JWT tokens used for intra-tenant agent-to-agent delegation. These tokens specify an origin agent and target agent, enabling secure team collaboration between agents.
The token's aud (audience) claim is validated against the x-inkeep-sub-agent-id header if provided.
Development Mode
When ENVIRONMENT=development or ENVIRONMENT=test:
- Authentication is attempted but not required
- If no valid auth is found, falls back to default context
- You can specify scope via headers:
If headers are omitted, defaults to test-tenant, test-project, test-agent.
Request Headers
| Header | Description |
|---|---|
Authorization | Bearer token (required in production) |
x-inkeep-tenant-id | Tenant ID (required for bypass auth, optional for dev) |
x-inkeep-project-id | Project ID (required for bypass auth, optional for dev) |
x-inkeep-agent-id | Agent ID (required for bypass auth, optional for dev) |
x-inkeep-sub-agent-id | Sub-agent ID for team delegation validation |