Ayra AI
|Docs

Authentication

API Key Authentication

Ayra API uses API key authentication where each request must include a valid API key in the request headers. When you make an API request, you include your API key in the Authorization header using Bearer token format.

How Authentication Works

The API validates your key and determines which resources you can access based on the key's permissions.

Authentication happens on every request. There's no concept of "logging in" and maintaining session state. Each request is independently authenticated using the provided API key. This stateless authentication model is simple, secure, and scales well.

Authentication Header Format

Include your API key in the Authorization header of every request using this format:

Authorization: Bearer YOUR_API_KEY_HERE

Example cURL Request:

curl https://api.ayra.ai/v1/agents \
  -H "Authorization: Bearer sk_live_abc123xyz789" \
  -H "Content-Type: application/json"

Example in JavaScript (Node.js):

const axios = require('axios');

const response = await axios.get('https://api.ayra.ai/v1/agents', {
  headers: {
    'Authorization': 'Bearer sk_live_abc123xyz789',
    'Content-Type': 'application/json'
  }
});

Example in Python:

import requests

headers = {
    'Authorization': 'Bearer sk_live_abc123xyz789',
    'Content-Type': 'application/json'
}

response = requests.get('https://api.ayra.ai/v1/agents', headers=headers)

Example in PHP:

<?php
$api_key = 'sk_live_abc123xyz789';

$ch = curl_init('https://api.ayra.ai/v1/agents');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer ' . $api_key,
    'Content-Type: application/json'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
curl_close($ch);
?>

Authentication Errors

When authentication fails, the API returns specific error codes helping diagnose the issue:

401 Unauthorized - Missing API Key

{
  "error": {
    "type": "authentication_error",
    "message": "No API key provided",
    "code": "missing_api_key"
  }
}

This error occurs when the Authorization header is missing entirely. Ensure every request includes the header.

401 Unauthorized - Invalid API Key

{
  "error": {
    "type": "authentication_error", 
    "message": "Invalid API key provided",
    "code": "invalid_api_key"
  }
}

This error indicates the API key is malformed or doesn't exist. Verify you're using the correct key without typos or extra whitespace.

401 Unauthorized - Expired API Key

{
  "error": {
    "type": "authentication_error",
    "message": "API key has expired",
    "code": "expired_api_key"
  }
}

API keys can expire if set with expiration dates. Generate a new key to restore access.

401 Unauthorized - Revoked API Key

{
  "error": {
    "type": "authentication_error",
    "message": "API key has been revoked",
    "code": "revoked_api_key"
  }
}

Revoked keys no longer grant access. This happens when keys are explicitly deleted or when security issues are detected. Generate a new key.

403 Forbidden - Insufficient Permissions

{
  "error": {
    "type": "permission_error",
    "message": "This API key lacks permission to perform this action",
    "code": "insufficient_permissions",
    "required_permission": "agents:write"
  }
}

This error indicates successful authentication but the API key doesn't have necessary permissions. Create a new key with appropriate permissions or use a different key.

Testing Authentication

To verify authentication is working correctly, call the API info endpoint:

curl https://api.ayra.ai/v1/account \
  -H "Authorization: Bearer YOUR_API_KEY"

Successful authentication returns your account details:

{
  "data": {
    "account_id": "acc_abc123",
    "email": "you@company.com",
    "company_name": "Your Company",
    "plan": "professional",
    "api_version": "v1"
  },
  "meta": {
    "request_id": "req_xyz789",
    "timestamp": "2025-01-15T10:30:00Z"
  }
}

Failed authentication returns 401 error as described above.

Security Best Practices

Never Expose API Keys

  • • Don't commit API keys to version control systems like Git
  • • Don't include keys in client-side code where they're visible in browser
  • • Don't share keys via email or unsecured channels
  • • Don't log API keys in application logs

Use Environment Variables

Store API keys in environment variables rather than hardcoding. This separates credentials from code and enables different keys for different environments.

// Good - using environment variable
const apiKey = process.env.AYRA_API_KEY;

// Bad - hardcoded key
const apiKey = 'sk_live_abc123xyz789';

Implement Key Rotation

Rotate API keys periodically (every 90 days recommended). Generate new keys before revoking old ones to prevent service interruption during rotation. Update all systems using old keys before revoking.

Use Separate Keys for Different Purposes

Create separate API keys for:

  • • Production and development environments
  • • Different applications or services
  • • Different team members or contractors
  • • Different permission scopes

Separate keys enable fine-grained tracking, easier revocation if specific keys are compromised, and better security isolation.

Monitor API Key Usage

Track which keys are being used and for what operations. Monitor for unusual patterns indicating compromised keys. Set up alerts for unexpected usage. Review key usage regularly and revoke unused keys.

Revoke Compromised Keys Immediately

If you suspect a key has been compromised:

  1. Revoke it immediately through the dashboard
  2. Generate a new replacement key
  3. Update all systems that were using the compromised key
  4. Review API logs for any unauthorized actions taken with the compromised key

Contact Ayra support immediately for assistance with security incidents. Provide the request_ids of suspicious API calls for investigation.

Ready to transform your agency?

Start building with Ayra today. No credit card required.