circle-info
New Release: Cypress is now live. Parallel paths for curated and un-curated data.
Twig Help Docsarrow-up-right
search
Twig.so

Authentication & API Keys

Complete guide to authenticating API requests with Twig AI.

hashtag
Authentication Methods

hashtag
API Keys (Recommended)

Best for: Server-to-server, automated workflows, production applications

Format: Bearer token in Authorization header

curl -X GET https://api.twig.so/api/agents \
  -H "Authorization: Bearer sk_live_abc123..."

hashtag
OAuth 2.0 (For User Context)

Best for: User-specific actions, third-party integrations

Flow:

  1. Redirect user to authorization URL

  2. User grants permission

  3. Receive authorization code

  4. Exchange for access token

  5. Use access token in requests

hashtag
Generating API Keys

hashtag
Via UI

  1. Navigate to SettingsAPI Keys

  2. Click Generate New API Key

  3. Provide details:

    • Name: "Production API", "Development", etc.

    • Scope: Permissions (see below)

    • Expiration: Optional expiry date

  4. Copy key immediately (shown only once)

  5. Store securely

hashtag
Via API

hashtag
API Key Types

hashtag
Organization Keys

  • Access all resources in organization

  • Shared across team

  • Higher permissions

  • Require admin to create

hashtag
Personal Keys

  • User-specific access

  • Limited to user's permissions

  • Can be self-generated

  • Tied to user account

hashtag
Scoped Keys

  • Limited permissions

  • Specific operations only

  • Most secure

  • Recommended for production

hashtag
API Key Scopes

Scope
Permissions

chat

Chat/completion requests

agents:read

List and view agents

agents:write

Create/edit agents

agents:delete

Delete agents

data:read

View data sources

data:write

Modify data sources

analytics:read

View analytics

admin

Full access

Example:

hashtag
Using API Keys

hashtag
Request Header

hashtag
Examples

cURL:

JavaScript:

Python:

hashtag
Key Management Best Practices

hashtag
Security

Do:

  • Store keys in environment variables

  • Use different keys for dev/staging/prod

  • Rotate keys regularly (every 90 days)

  • Use scoped keys with minimum permissions

  • Revoke compromised keys immediately

Don't:

  • Hardcode keys in source code

  • Commit keys to version control

  • Share keys via email/chat

  • Use same key across all environments

  • Give keys broader scope than needed

hashtag
Storage

Environment Variables:

Secret Managers:

  • AWS Secrets Manager

  • Google Cloud Secret Manager

  • HashiCorp Vault

  • Azure Key Vault

Configuration:

hashtag
Rotation

Manual Rotation:

  1. Generate new key

  2. Update applications

  3. Test thoroughly

  4. Revoke old key

  5. Monitor for errors

Automated Rotation:

hashtag
Error Handling

hashtag
Invalid Key

Response:

Solutions:

  • Verify key is correct

  • Check for extra spaces

  • Ensure key hasn't been revoked

  • Verify key hasn't expired

hashtag
Expired Key

Response:

Solution: Generate new key

hashtag
Insufficient Permissions

Response:

Solution: Use key with appropriate scopes

hashtag
Monitoring

hashtag
Track Usage

View API key usage:

  • Request count

  • Success/failure rate

  • Last used timestamp

  • Geographic distribution

hashtag
Set Alerts

hashtag
Troubleshooting

hashtag
Key Not Working

  1. Check format: Authorization: Bearer KEY

  2. Verify key status (not revoked)

  3. Check expiration date

  4. Verify scopes match operation

  5. Test with different endpoint

hashtag
Intermittent Failures

  1. Check rate limits

  2. Verify network connectivity

  3. Review error logs

  4. Check key permissions

  5. Monitor API status page

hashtag
Next Steps

PreviousAPI Endpoints ReferenceNextWebhooks & Events

Last updated