Skip to main content

Overview

The Fabraix API uses API keys to authenticate requests. You can view and manage your API keys in the Fabraix Dashboard.
Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

Authentication Method

All API requests must include your API key in the x-api-key header: 
curl https://dev.fabraix.com/v1/register-agent-run \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
    "timestamp": "2024-01-01T00:00:00Z",
    "system_prompt": "You are a helpful assistant"
  }'

API Key Types

Fabraix provides different types of API keys for different use cases:

Development Keys

For local development and testing. These keys have relaxed rate limits but should never be used in production.

Production Keys

For production deployments. These keys have higher rate limits and access to production features.

Restricted Keys

Keys with limited scope for specific operations. Perfect for client-side applications or third-party integrations.

Admin Keys

Full access keys for administrative operations. Use with extreme caution.

Managing API Keys

Creating a New API Key

  1. Navigate to the API Keys page in your dashboard
  2. Click “Create New Key”
  3. Select the key type and permissions
  4. Give your key a descriptive name
  5. Copy the key immediately - it won’t be shown again!

Rotating API Keys

We recommend rotating your API keys regularly:
1

Create a New Key

Generate a new API key with the same permissions as the old one
2

Update Your Application

Deploy your application with the new API key
3

Verify Functionality

Ensure your application is working correctly with the new key
4

Revoke the Old Key

Delete the old API key from your dashboard

Revoking API Keys

To immediately revoke an API key:
  1. Go to the API Keys page
  2. Find the key you want to revoke
  3. Click the “Delete” button
  4. Confirm the deletion
Revoking an API key is immediate and irreversible. Make sure you have updated your applications to use a different key before revoking.

Security Best Practices

Environment Variables

Never hardcode API keys in your source code. Use environment variables instead: 
FABRAIX_API_KEY=your_api_key_here

Secret Management

For production environments, use a proper secret management system:
  • AWS: AWS Secrets Manager or Parameter Store
  • Azure: Azure Key Vault
  • Google Cloud: Secret Manager
  • Kubernetes: Kubernetes Secrets
  • HashiCorp: Vault

Client-Side Security

Never expose your secret API keys in client-side code. For browser-based applications, use:
  1. A backend proxy that adds the API key to requests
  2. Restricted keys with limited permissions
  3. Short-lived tokens generated by your backend

Rate Limiting

API keys are subject to rate limiting to ensure fair usage:
Key TypeRequests per MinuteRequests per Hour
Development601,000
Production60010,000
EnterpriseCustomCustom
When you exceed the rate limit, you’ll receive a 429 Too Many Requests response: 
{
  "error": {
    "message": "Rate limit exceeded",
    "type": "rate_limit_error",
    "retry_after": 30
  }
}

Error Responses

Authentication failures will return appropriate HTTP status codes:

401 Unauthorized

Missing or invalid API key: 
{
  "error": {
    "message": "Invalid API key provided",
    "type": "authentication_error",
    "code": "invalid_api_key"
  }
}

403 Forbidden

Valid key but insufficient permissions: 
{
  "error": {
    "message": "API key does not have permission for this operation",
    "type": "authorization_error",
    "code": "insufficient_permissions"
  }
}

Need Help?

If you’re having trouble with authentication:
  1. Verify your API key is correct and active in the dashboard
  2. Check that you’re using the correct header name: x-api-key
  3. Ensure your key has the necessary permissions for the operation
  4. Contact zach@fabraix.com if issues persist