Authentication
Bearer API keys (live and test) + JWT for interactive sessions. Key rotation and revocation.
What it is
Two authentication models:
API keys — asc_live_… (prod) or asc_test_… (sandbox). Format: asc_<env>_ + 48 random base32 chars. Issued per project with a list of scopes. Rotate or revoke via the dashboard or API; old keys stop accepting requests within 30 seconds.
JWTs — issued by /v1/auth/login (email + password) for interactive dashboard sessions. 1-hour lifetime, HS256 signed, short-lived refresh token in an httpOnly cookie.
When to use it
- Use live keys for production workloads.
- Use test keys for staging — they hit a sandbox runtime with mocked billing.
- Use JWTs only for browser sessions; never embed them in code.
Quickstart
# Create a scoped key
asc keys create prod-deploy --project my-proj --scopes pods:write,storage:write
# Rotate
asc keys rotate <key_id>
# Revoke
asc keys revoke <key_id>from aiarco import Client
client = Client(api_key='asc_live_…')
# or via env: export ASC_API_KEY=asc_live_…import { Client } from '@aiarco/sdk';
const client = new Client({ apiKey: process.env.ASC_API_KEY });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| API keys per project | 100 | — | |
| Key revocation propagation | <30 s | — | |
| JWT lifetime | 1 h | — |
API surface
POST /v1/auth/login— interactive login (returns JWT)POST /v1/keys— create a scoped API key (scope:keys:write)POST /v1/keys/{id}/rotate— rotatePOST /v1/keys/{id}/revoke— revoke
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.