# Authentication (/docs/authentication) Use API keys to authenticate server-to-server requests to andibase. You can either create a key manually in the app or start a customer approval flow for an agent and exchange the approved device code for a workspace key. Embedded apps use a separate runtime-key flow described below. Those keys are still Better Auth API keys, but they are short-lived, server-issued, and intended to stay in memory only. Agent login flow [#agent-login-flow] Agents can start a browser-based customer approval flow without asking the user to dig through the app first. 1. Call `POST /api/agent/auth/requests`. 2. Show the returned `userCode` or `verificationUriComplete` to the customer. 3. The customer signs in at `/agent-login` and approves one workspace. 4. Poll `POST /api/agent/auth/exchange` with the returned `deviceCode`. 5. Once approved, the response includes a workspace-scoped API key secret at `apiKey.key`. 6. Persist that key securely and reuse it. Do not send the user through login again unless the key was revoked or intentionally expired. Example start request: ```bash curl "https://andibase.com/api/agent/auth/requests" \ -H "Content-Type: application/json" \ -d '{ "agentName": "Claude", "agentDescription": "Inspect and update workspace data", "role": "admin" }' ``` If you omit `role`, agent login defaults to `admin`. How authentication works [#how-authentication-works] Create an API key from your workspace in the app: 1. Open the workspace you want to access. 2. Go to **API Keys**. 3. Create a key and choose the role it should have. 4. Copy the secret immediately. You will only see it once. Each API key is scoped to the workspace where it was created. When you send the key, the API resolves that workspace from the key itself. Embedded apps [#embedded-apps] Apps published at `/w/:handle/apps/:handle` require a signed-in session and workspace membership. The iframe uses the normal first-party session cookie. It does not receive a runtime API key. Instead it calls the API through: * `window.andibase.fetch(path, init?)` That helper: 1. Sends `credentials: "include"`. 2. Adds `x-workspace-handle` automatically for the app workspace. 3. Does not inject an `Authorization` header. Send the key in the `Authorization` header [#send-the-key-in-the-authorization-header] Use the key as a bearer token: ```bash curl "https://andibase.com/api/data-definitions" \ -H "Authorization: Bearer $ANDI_API_KEY" ``` For clients that cannot send bearer tokens, `x-api-key: ` is also accepted, but `Authorization: Bearer ` is the recommended format. Store the key securely [#store-the-key-securely] Do not hardcode API keys in source files or commit them to git. Store the key in a secure environment variable such as `ANDI_API_KEY`: ```bash export ANDI_API_KEY="andi_live_..." ``` Then read it from your server runtime: ```ts const apiKey = process.env.ANDI_API_KEY; const response = await fetch("https://andibase.com/api/data-definitions", { headers: { Authorization: `Bearer ${apiKey}`, }, }); ``` That guidance applies to manual and agent-login API keys. Roles [#roles] When you create a key, you assign one of the hardcoded roles: * `admin`: full workspace access. This is the default for manual API keys and agent-login keys. * `editor`: read and write access for apps, data, and files, plus workspace read access. * `viewer`: read-only access across apps, data, files, and workspace metadata. The API still enforces permissions internally. If a key does not have the required capability, the API returns `403` with a JSON body that names the missing permission. Workspace behavior [#workspace-behavior] API keys are already bound to one workspace, so you do not need to send a workspace header with bearer-token requests. That makes them a good fit for backend services, workers, scripts, and integrations running outside the app. Recommendations [#recommendations] * Use a different API key per environment or integration. * Grant the smallest role that fits the integration. * Rotate keys if they are exposed or no longer needed. * Revoke keys from the workspace **API Keys** page when an integration is retired. ## Documentation Navigation Use these paths to traverse the relevant docs and generated API reference files for the app. - Authentication [current] -> `/docs/authentication` (source: `content/docs/authentication.mdx`) - andibase Overview -> `/docs` (source: `content/docs/index.mdx`) - Get started (for AI Agents) -> `/docs/agent-get-started` (source: `content/docs/agent-get-started.mdx`) - Agent Tools -> `/docs/agent-tools` (source: `content/docs/agent-tools.mdx`) - Agents -> `/docs/agents` (source: `content/docs/agents.mdx`) - Agent Auth -> `/docs/api-reference/agent-auth` - Get agent login request -> `/docs/api-reference/agent-auth/get-api-v1-agent-auth-requests-usercode` - Exchange agent login -> `/docs/api-reference/agent-auth/post-api-v1-agent-auth-exchange` - Start agent login -> `/docs/api-reference/agent-auth/post-api-v1-agent-auth-requests` - Approve agent login -> `/docs/api-reference/agent-auth/post-api-v1-agent-auth-requests-usercode-approve` - Deny agent login -> `/docs/api-reference/agent-auth/post-api-v1-agent-auth-requests-usercode-deny` - Agents -> `/docs/api-reference/agents` - Delete workspace agent -> `/docs/api-reference/agents/delete-api-v1-agents-id` - List workspace agents -> `/docs/api-reference/agents/get-api-v1-agents` - Get workspace agent -> `/docs/api-reference/agents/get-api-v1-agents-id` - List agent chats -> `/docs/api-reference/agents/get-api-v1-agents-id-chats` - Get agent chat -> `/docs/api-reference/agents/get-api-v1-agents-id-chats-chatid` - Update workspace agent -> `/docs/api-reference/agents/patch-api-v1-agents-id` - Create workspace agent -> `/docs/api-reference/agents/post-api-v1-agents` - Send agent message -> `/docs/api-reference/agents/post-api-v1-agents-id-chats-chatid-messages` - Apps -> `/docs/api-reference/apps` - Delete app -> `/docs/api-reference/apps/delete-api-v1-apps-id` - List workspace apps -> `/docs/api-reference/apps/get-api-v1-apps` - Get app by id -> `/docs/api-reference/apps/get-api-v1-apps-id` - Update app -> `/docs/api-reference/apps/patch-api-v1-apps-id` - Create app -> `/docs/api-reference/apps/post-api-v1-apps` - Automations -> `/docs/api-reference/automations` - Delete workspace automation -> `/docs/api-reference/automations/delete-api-v1-automations-id` - List workspace automations -> `/docs/api-reference/automations/get-api-v1-automations` - Get workspace automation -> `/docs/api-reference/automations/get-api-v1-automations-id` - List automation runs -> `/docs/api-reference/automations/get-api-v1-automations-id-runs` - Get automation run -> `/docs/api-reference/automations/get-api-v1-automations-id-runs-runid` - Update workspace automation -> `/docs/api-reference/automations/patch-api-v1-automations-id` - Create workspace automation -> `/docs/api-reference/automations/post-api-v1-automations` - Run automation -> `/docs/api-reference/automations/post-api-v1-automations-id-run` - Trigger automation webhook -> `/docs/api-reference/automations/post-api-v1-automations-webhooks-publicid-secret` - Channels -> `/docs/api-reference/channels` - Delete channel -> `/docs/api-reference/channels/delete-api-v1-channels-channelid` - List channels -> `/docs/api-reference/channels/get-api-v1-channels` - Get channel -> `/docs/api-reference/channels/get-api-v1-channels-channelid` - Update channel -> `/docs/api-reference/channels/patch-api-v1-channels-channelid` - Create channel -> `/docs/api-reference/channels/post-api-v1-channels` - Data -> `/docs/api-reference/data` - Data Definitions -> `/docs/api-reference/data-definitions` - Delete data definition -> `/docs/api-reference/data-definitions/delete-api-v1-data-definitions-id` - List data definitions -> `/docs/api-reference/data-definitions/get-api-v1-data-definitions` - Get data definition -> `/docs/api-reference/data-definitions/get-api-v1-data-definitions-id` - Update data definition -> `/docs/api-reference/data-definitions/patch-api-v1-data-definitions-id` - Create data definition -> `/docs/api-reference/data-definitions/post-api-v1-data-definitions` - Data SQL Query -> `/docs/api-reference/data-sql-query` - Run SQL query against workspace data -> `/docs/api-reference/data-sql-query/post-api-v1-data-sql-query` - Get data by id -> `/docs/api-reference/data/get-api-v1-data-definitions-definitionid-data-id` - Select all data row ids -> `/docs/api-reference/data/get-api-v1-data-definitions-definitionid-data-select-all` - List data -> `/docs/api-reference/data/get-api-v1-data-definitions-definitionid-query` - Patch many data rows -> `/docs/api-reference/data/patch-api-v1-data-definitions-definitionid-data-patch-many` - Delete many data rows -> `/docs/api-reference/data/post-api-v1-data-definitions-definitionid-data-delete-many` - Upsert many data rows -> `/docs/api-reference/data/post-api-v1-data-definitions-definitionid-data-upsert-many` - DuckDB Query -> `/docs/api-reference/duckdb-query` - Run a DuckDB query against registered sources -> `/docs/api-reference/duckdb-query/post-api-v1-duckdb-query` - Explorer -> `/docs/api-reference/explorer` - Delete explorer folder -> `/docs/api-reference/explorer/delete-api-v1-workspace-nodes-nodeid` - List explorer nodes -> `/docs/api-reference/explorer/get-api-v1-workspace-nodes` - List explorer folders -> `/docs/api-reference/explorer/get-api-v1-workspace-nodes-folders` - Rename explorer folder -> `/docs/api-reference/explorer/patch-api-v1-workspace-nodes-nodeid-rename` - Create folder -> `/docs/api-reference/explorer/post-api-v1-workspace-nodes-folders` - Move explorer node -> `/docs/api-reference/explorer/post-api-v1-workspace-nodes-nodeid-move` - Files -> `/docs/api-reference/files` - List workspace files -> `/docs/api-reference/files/get-api-v1-files` - Read file content -> `/docs/api-reference/files/get-api-v1-files-fileid-content` - Create file -> `/docs/api-reference/files/post-api-v1-files` - Complete file upload -> `/docs/api-reference/files/post-api-v1-files-fileid-complete` - Presign multipart parts -> `/docs/api-reference/files/post-api-v1-files-fileid-parts` - Update file content -> `/docs/api-reference/files/put-api-v1-files-fileid-content` - Messages -> `/docs/api-reference/messages` - List channel messages -> `/docs/api-reference/messages/get-api-v1-channels-channelid-messages` - List thread messages -> `/docs/api-reference/messages/get-api-v1-channels-channelid-threads-threadid-messages` - Create channel message -> `/docs/api-reference/messages/post-api-v1-channels-channelid-messages` - Create thread message -> `/docs/api-reference/messages/post-api-v1-channels-channelid-threads-threadid-messages` - Notifications -> `/docs/api-reference/notifications` - List notification devices -> `/docs/api-reference/notifications/get-api-v1-notifications-devices` - Check Expo notification receipts -> `/docs/api-reference/notifications/post-api-v1-notifications-receipts` - Send workspace notifications -> `/docs/api-reference/notifications/post-api-v1-notifications-send` - Runs -> `/docs/api-reference/runs` - List workspace runs -> `/docs/api-reference/runs/get-api-v1-runs` - Get workspace run -> `/docs/api-reference/runs/get-api-v1-runs-runid` - Threads -> `/docs/api-reference/threads` - List channel threads -> `/docs/api-reference/threads/get-api-v1-channels-channelid-threads` - Get thread -> `/docs/api-reference/threads/get-api-v1-channels-channelid-threads-threadid` - Create thread -> `/docs/api-reference/threads/post-api-v1-channels-channelid-threads` - Workflows -> `/docs/api-reference/workflows` - Delete workflow definition -> `/docs/api-reference/workflows/delete-api-v1-workflows-id` - List workflow definitions -> `/docs/api-reference/workflows/get-api-v1-workflows` - Get workflow definition -> `/docs/api-reference/workflows/get-api-v1-workflows-id` - Update workflow definition -> `/docs/api-reference/workflows/patch-api-v1-workflows-id` - Create workflow definition -> `/docs/api-reference/workflows/post-api-v1-workflows` - Workspaces -> `/docs/api-reference/workspaces` - Delete workspace API key -> `/docs/api-reference/workspaces/delete-api-v1-workspaces-workspacehandle-api-keys-keyid` - Delete workspace credential -> `/docs/api-reference/workspaces/delete-api-v1-workspaces-workspacehandle-credentials-credentialid` - Delete workspace invitation -> `/docs/api-reference/workspaces/delete-api-v1-workspaces-workspacehandle-invitations-invitationid` - Delete workspace user -> `/docs/api-reference/workspaces/delete-api-v1-workspaces-workspacehandle-users-userid` - List my workspaces -> `/docs/api-reference/workspaces/get-api-v1-workspaces` - List workspace API keys -> `/docs/api-reference/workspaces/get-api-v1-workspaces-workspacehandle-api-keys` - List workspace credentials -> `/docs/api-reference/workspaces/get-api-v1-workspaces-workspacehandle-credentials` - List workspace credential tools -> `/docs/api-reference/workspaces/get-api-v1-workspaces-workspacehandle-credentials-credentialid-tools` - List workspace invitations -> `/docs/api-reference/workspaces/get-api-v1-workspaces-workspacehandle-invitations` - List workspace users -> `/docs/api-reference/workspaces/get-api-v1-workspaces-workspacehandle-users` - Create workspace -> `/docs/api-reference/workspaces/post-api-v1-workspaces` - Create workspace API key -> `/docs/api-reference/workspaces/post-api-v1-workspaces-workspacehandle-api-keys` - Create workspace credential -> `/docs/api-reference/workspaces/post-api-v1-workspaces-workspacehandle-credentials` - Invite user to workspace -> `/docs/api-reference/workspaces/post-api-v1-workspaces-workspacehandle-invitations` - Create workspace user -> `/docs/api-reference/workspaces/post-api-v1-workspaces-workspacehandle-users` - Apps -> `/docs/apps` (source: `content/docs/apps.mdx`) - Building Blocks -> `/docs/building-blocks` (source: `content/docs/building-blocks.mdx`) - Data Model -> `/docs/data-model` (source: `content/docs/data-model.mdx`) - Embedded Host Actions -> `/docs/embedded-host-actions` (source: `content/docs/embedded-host-actions.mdx`) - Introduction -> `/docs/introduction` (source: `content/docs/introduction.mdx`) - Recipes -> `/docs/receipes` (source: `content/docs/receipes/index.mdx`) - Construction Site Visit Agent -> `/docs/receipes/construction-site-visit-agent` (source: `content/docs/receipes/construction-site-visit-agent.mdx`) - Daily Lead Qualification Agent -> `/docs/receipes/daily-lead-qualification-agent` (source: `content/docs/receipes/daily-lead-qualification-agent.mdx`) - Day Planner Agent -> `/docs/receipes/day-planner-agent` (source: `content/docs/receipes/day-planner-agent.mdx`) - Expense Tracker -> `/docs/receipes/expense-tracker` (source: `content/docs/receipes/expense-tracker.mdx`) - Legal Case Tracker -> `/docs/receipes/legal-case-tracker` (source: `content/docs/receipes/legal-case-tracker.mdx`) - Spare Parts Request Agent -> `/docs/receipes/spare-parts-request-agent` (source: `content/docs/receipes/spare-parts-request-agent.mdx`) - Weekly Report Email Agent -> `/docs/receipes/weekly-report-email-agent` (source: `content/docs/receipes/weekly-report-email-agent.mdx`) - UI Components -> `/docs/ui-components` (source: `content/docs/ui-components.mdx`)