API Keys
All requests to api.wardin.ai/v1/ use Bearer token authentication:
Authorization: Bearer wardin_sk_YOUR_KEY
The same wardin_sk_ keys used to authenticate with the gateway also work with the management API. The key’s permissions determine what operations are allowed.
Key prefixes
| Prefix | Type | Used for |
|---|
wardin_sk_ | Virtual key | Gateway proxy calls + management API |
Register the wardin_sk_ prefix with your secret scanner (GitHub Advanced Security, truffleHog, Gitleaks) to prevent accidental commits.
Key permissions
| Operation | Permission required |
|---|
| Create / update / delete keys | Manager |
| Create / update / delete policies | Manager |
| Create / update / delete budgets | Manager |
| Approve / deny budget requests | Manager |
| Read analytics | Any valid key |
| List keys | Any valid key (own keys only, unless manager) |
Example request
curl https://api.wardin.ai/v1/keys \
-H "Authorization: Bearer wardin_sk_YOUR_KEY" \
-H "Content-Type: application/json"
Error responses
Missing key:
{
"error": {
"type": "unauthorized",
"message": "Missing or invalid API key.",
"code": 401
}
}
Insufficient permissions:
{
"error": {
"type": "forbidden",
"message": "This operation requires manager-level access.",
"code": 403
}
}
Rotating keys
There is no in-place rotation — create a new key, update your environment, then revoke the old one:
# 1. Create a new key
curl -X POST https://api.wardin.ai/v1/keys \
-H "Authorization: Bearer wardin_sk_OLD_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "admin-rotated"}'
# 2. Update your WARDIN_API_KEY env var to the new key
# 3. Revoke the old key
curl -X DELETE https://api.wardin.ai/v1/keys/key_OLD_ID \
-H "Authorization: Bearer wardin_sk_NEW_KEY"