Skip to main content

API Keys

All requests to api.wardin.ai/v1/ use Bearer token authentication:
Authorization: Bearer wardin_sk_YOUR_KEY
The same wardin_sk_ keys used to authenticate with the gateway also work with the management API. The key’s permissions determine what operations are allowed.

Key prefixes

PrefixTypeUsed for
wardin_sk_Virtual keyGateway proxy calls + management API
Register the wardin_sk_ prefix with your secret scanner (GitHub Advanced Security, truffleHog, Gitleaks) to prevent accidental commits.

Key permissions

OperationPermission required
Create / update / delete keysManager
Create / update / delete policiesManager
Create / update / delete budgetsManager
Approve / deny budget requestsManager
Read analyticsAny valid key
List keysAny valid key (own keys only, unless manager)

Example request

curl https://api.wardin.ai/v1/keys \
  -H "Authorization: Bearer wardin_sk_YOUR_KEY" \
  -H "Content-Type: application/json"

Error responses

Missing key:
{
  "error": {
    "type": "unauthorized",
    "message": "Missing or invalid API key.",
    "code": 401
  }
}
Insufficient permissions:
{
  "error": {
    "type": "forbidden",
    "message": "This operation requires manager-level access.",
    "code": 403
  }
}

Rotating keys

There is no in-place rotation — create a new key, update your environment, then revoke the old one:
# 1. Create a new key
curl -X POST https://api.wardin.ai/v1/keys \
  -H "Authorization: Bearer wardin_sk_OLD_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "admin-rotated"}'

# 2. Update your WARDIN_API_KEY env var to the new key

# 3. Revoke the old key
curl -X DELETE https://api.wardin.ai/v1/keys/key_OLD_ID \
  -H "Authorization: Bearer wardin_sk_NEW_KEY"