Bearer keys and scopes
Authentication
Every API request carries a bearer key in the Authorization header. Keys belong to a project, carry an explicit scope list, and are checked by the trust kernel at execution time — a run fails at the offending step, not at the door, and the attempt is logged.
curl https://api.myndlabs.ai/v1/runs \ -H "Authorization: Bearer sk_live_..."
Key types
| prefix | environment | notes |
|---|---|---|
| sk_live_ | production | Server-side secret. Full scope grants allowed. |
| sk_test_ | sandbox | Synthetic context; free to call; same API shape. |
| pk_live_ | browser | Can only mint short-lived session tokens. |
| sk_ci_ | CI | Read-only default; for replay and eval pipelines. |
Scopes
Scopes are resource:verb pairs granted at key creation. The kernel enforces them per fetch and per action; scope_denied errors name the missing scope so widening is a deliberate act, not a guess.
| scope | grants |
|---|---|
| runs:write | Create and delete runs |
| runs:read | Retrieve runs and traces |
| context:documents | Read the documents source |
| context:calendar | Read the calendar source |
| context:finance | Read the finance source |
| agents:execute | Runs may invoke declared tools |
| files:write | Upload and delete files |
| webhooks:manage | Create, rotate, delete webhook endpoints |
Session tokens
For browser and mobile surfaces, exchange a publishable key plus your backend's signature for a session token: 15-minute lifetime, scoped to a single user's slice of the graph, refreshable server-side. Never embed a secret key in a client.
Rotation and revocation
Rotation is overlap-based: create the successor, deploy, revoke the old key. Revocation propagates globally in under five seconds. Keys idle for 90 days are flagged on the dashboard; treat them as candidates for deletion.