Authentication
All ARQERA API requests require authentication via an API key passed in the X-API-Key header.
Creating an API Key
- Sign in at arqera.io
- Navigate to System > API Keys
- Click Create API Key
- Choose a name and environment:
- Sandbox — for development and testing
- Production — for live traffic
- Copy the key immediately — it is shown only once
API keys follow the format ak_ followed by a random string:
ak_7f3a9b2c4e1d8f6a5b0c3e7d9f2a1b4c
Using Your API Key
Include the key in every request using the X-API-Key header:
curl -X POST https://api.arqera.io/api/v1/ara/governance/evaluate \
-H "Content-Type: application/json" \
-H "X-API-Key: ak_your_key_here" \
-d '{"action": "email.send", "description": "Send welcome email"}'
Python
import os
import requests
headers = {"X-API-Key": os.environ["ARQERA_API_KEY"]}
response = requests.post(
"https://api.arqera.io/api/v1/ara/governance/evaluate",
headers=headers,
json={"action": "email.send"},
)
TypeScript
const headers = {
"Content-Type": "application/json",
"X-API-Key": process.env.ARQERA_API_KEY!,
};
const response = await fetch(
"https://api.arqera.io/api/v1/ara/governance/evaluate",
{
method: "POST",
headers,
body: JSON.stringify({ action: "email.send" }),
}
);
Key Rotation
API keys expire after 90 days by default (3-month rotation cycle). You receive a notification 24 hours before deactivation.
To rotate keys without downtime:
- Create a new API key before the old one expires
- Update your application to use the new key
- Verify the new key works in production
- Delete the old key
Enterprise customers can request non-expiring keys.
Key Scopes
API keys can be scoped to limit access:
| Scope | Access |
|---|---|
governance:evaluate | Evaluate actions against governance laws |
evidence:read | Read evidence artifacts |
evidence:write | Create evidence artifacts |
usage:read | View usage and billing data |
keys:manage | Create and revoke API keys |
By default, new keys have all scopes. You can restrict scopes when creating a key for tighter security.
Environment Variables
We recommend storing your API key in an environment variable:
# .env (never commit this file)
ARQERA_API_KEY=ak_your_key_here
# Shell
export ARQERA_API_KEY="ak_your_key_here"
Security Best Practices
- Never commit API keys to version control
- Use environment variables or a secrets manager
- Rotate keys before they expire
- Use sandbox keys for development — sandbox evaluations do not count toward your monthly allowance
- Restrict scopes to the minimum your application needs
- Monitor usage via the dashboard or Usage API to detect unexpected activity
Error Responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid API key |
403 Forbidden | Key is revoked, expired, or lacks required scope |
429 Too Many Requests | Rate limit or usage limit exceeded |
{
"detail": "Invalid or expired API key. Create a new key at arqera.io/settings/api-keys"
}