Skip to main content

Authentication

All ARQERA API requests require authentication via an API key passed in the X-API-Key header.

Creating an API Key

  1. Sign in at arqera.io
  2. Navigate to System > API Keys
  3. Click Create API Key
  4. Choose a name and environment:
    • Sandbox — for development and testing
    • Production — for live traffic
  5. Copy the key immediately — it is shown only once

API keys follow the format ak_ followed by a random string:

ak_7f3a9b2c4e1d8f6a5b0c3e7d9f2a1b4c

Using Your API Key

Include the key in every request using the X-API-Key header:

curl -X POST https://api.arqera.io/api/v1/ara/governance/evaluate \
-H "Content-Type: application/json" \
-H "X-API-Key: ak_your_key_here" \
-d '{"action": "email.send", "description": "Send welcome email"}'

Python

import os
import requests

headers = {"X-API-Key": os.environ["ARQERA_API_KEY"]}

response = requests.post(
"https://api.arqera.io/api/v1/ara/governance/evaluate",
headers=headers,
json={"action": "email.send"},
)

TypeScript

const headers = {
"Content-Type": "application/json",
"X-API-Key": process.env.ARQERA_API_KEY!,
};

const response = await fetch(
"https://api.arqera.io/api/v1/ara/governance/evaluate",
{
method: "POST",
headers,
body: JSON.stringify({ action: "email.send" }),
}
);

Key Rotation

API keys expire after 90 days by default (3-month rotation cycle). You receive a notification 24 hours before deactivation.

To rotate keys without downtime:

  1. Create a new API key before the old one expires
  2. Update your application to use the new key
  3. Verify the new key works in production
  4. Delete the old key

Enterprise customers can request non-expiring keys.

Key Scopes

API keys can be scoped to limit access:

ScopeAccess
governance:evaluateEvaluate actions against governance laws
evidence:readRead evidence artifacts
evidence:writeCreate evidence artifacts
usage:readView usage and billing data
keys:manageCreate and revoke API keys

By default, new keys have all scopes. You can restrict scopes when creating a key for tighter security.

Environment Variables

We recommend storing your API key in an environment variable:

# .env (never commit this file)
ARQERA_API_KEY=ak_your_key_here
# Shell
export ARQERA_API_KEY="ak_your_key_here"

Security Best Practices

  • Never commit API keys to version control
  • Use environment variables or a secrets manager
  • Rotate keys before they expire
  • Use sandbox keys for development — sandbox evaluations do not count toward your monthly allowance
  • Restrict scopes to the minimum your application needs
  • Monitor usage via the dashboard or Usage API to detect unexpected activity

Error Responses

StatusMeaning
401 UnauthorizedMissing or invalid API key
403 ForbiddenKey is revoked, expired, or lacks required scope
429 Too Many RequestsRate limit or usage limit exceeded
{
"detail": "Invalid or expired API key. Create a new key at arqera.io/settings/api-keys"
}