AIARCOASC Docs

Authentication

Bearer API keys (live and test) + JWT for interactive sessions. Key rotation and revocation.

What it is

Two authentication models:

API keysasc_live_… (prod) or asc_test_… (sandbox). Format: asc_<env>_ + 48 random base32 chars. Issued per project with a list of scopes. Rotate or revoke via the dashboard or API; old keys stop accepting requests within 30 seconds.

JWTs — issued by /v1/auth/login (email + password) for interactive dashboard sessions. 1-hour lifetime, HS256 signed, short-lived refresh token in an httpOnly cookie.

When to use it

  • Use live keys for production workloads.
  • Use test keys for staging — they hit a sandbox runtime with mocked billing.
  • Use JWTs only for browser sessions; never embed them in code.

Quickstart

# Create a scoped key
asc keys create prod-deploy --project my-proj --scopes pods:write,storage:write
 
# Rotate
asc keys rotate <key_id>
 
# Revoke
asc keys revoke <key_id>
from aiarco import Client
client = Client(api_key='asc_live_…')
# or via env: export ASC_API_KEY=asc_live_…
import { Client } from '@aiarco/sdk';
const client = new Client({ apiKey: process.env.ASC_API_KEY });

Limits & quotas

LimitDefaultBurstNotes
API keys per project100
Key revocation propagation<30 s
JWT lifetime1 h

API surface

  • POST /v1/auth/login — interactive login (returns JWT)
  • POST /v1/keys — create a scoped API key (scope: keys:write)
  • POST /v1/keys/{id}/rotate — rotate
  • POST /v1/keys/{id}/revoke — revoke

Security

All access is authenticated and scoped. See Auth & scopes and Network controls.