Authentication
API keys, bearer tokens, rotation, and how to keep your credentials safe.
Every request to the Jettson API is authenticated with an API key as a bearer token in the Authorization header.
Generating a key
API keys are managed in the Console at /console/api-keys. Click Create key, name it, and copy the value — Jettson shows the secret exactly once.
Key format:
jett_sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6The _live_ segment is fixed for now — test-mode keys (jett_sk_test_…) ship alongside the production deploy and behave identically except they're scoped to a sandbox account.
Sending the key
Set the Authorization header on every API request:
curl https://jettson.dev/api/v1/agents \
-H "Authorization: Bearer $JETTSON_API_KEY"What Jettson stores
We store a SHA-256 hash of each key — never the plaintext. After you copy the value at creation time, there's no way for anyone (including Jettson support) to recover it. Lost it? Revoke and create a new one.
Revoking a key
In the Console, find the key in /console/api-keys and click Revoke. Revoked keys are rejected on the next request — there's no propagation delay.
Revoked keys remain in your history (with a revokedAt timestamp) so audit logs stay intact.
Security best practices
Rate limits
Rate limits are per-key, not per-account. The free tier allows 5 spawns/minute and 30 spawns/hour per key; Pro and Scale are much higher. See rate limits for the full table.
Programmatic key management
Creating and revoking keys via the API is coming in a future release. For now, both flows happen through the Console UI.