Authentication

API keys, bearer tokens, rotation, and how to keep your credentials safe.

Every request to the Jettson API is authenticated with an API key as a bearer token in the Authorization header.

Generating a key

API keys are managed in the Console at /console/api-keys. Click Create key, name it, and copy the value — Jettson shows the secret exactly once.

Key format:

text

jett_sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

The _live_ segment is fixed for now — test-mode keys (jett_sk_test_…) ship alongside the production deploy and behave identically except they're scoped to a sandbox account.

Sending the key

Set the Authorization header on every API request:

bash

curl https://jettson.dev/api/v1/agents \
  -H "Authorization: Bearer $JETTSON_API_KEY"

What Jettson stores

We store a SHA-256 hash of each key — never the plaintext. After you copy the value at creation time, there's no way for anyone (including Jettson support) to recover it. Lost it? Revoke and create a new one.

Revoking a key

In the Console, find the key in /console/api-keys and click Revoke. Revoked keys are rejected on the next request — there's no propagation delay.

Revoked keys remain in your history (with a revokedAt timestamp) so audit logs stay intact.

Security best practices

Rate limits

Rate limits are per-key, not per-account. The free tier allows 5 spawns/minute and 30 spawns/hour per key; Pro and Scale are much higher. See rate limits for the full table.

Programmatic key management

Creating and revoking keys via the API is coming in a future release. For now, both flows happen through the Console UI.