API Keys
Sardis uses API keys to authenticate requests. You can generate API keys from the Dashboard.
API keys follow this format:
- Live keys:
sk_live_...
- Test keys:
sk_test_...
Treat API keys like passwords. Never commit them to version control or expose them client-side.
Authentication Methods
Include your API key in the Authorization header:
curl https://api.sardis.sh/api/v2/agents \
-H "Authorization: Bearer sk_live_your_api_key"
SDK Authentication
from sardis_sdk import SardisClient
client = SardisClient(api_key="sk_live_your_api_key")
# Create an agent
agent = client.agents.create(
name="payment-agent",
description="Handles SaaS subscriptions"
)
Generating API Keys
- Log in to the Sardis Dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Name your key (e.g., “Production”, “Development”)
- Copy the key immediately - it won’t be shown again
API keys are shown only once. Store them securely using a secrets manager.
Key Permissions
Each API key has organization-level access:
- ✅ Full access to all agents, wallets, and transactions within your organization
- ✅ Read and write operations
- ❌ No access to other organizations
Key Rotation
Best Practices
- Rotate regularly: Every 90 days for production keys
- Use multiple keys: Separate keys for different environments
- Deactivate immediately: If a key is compromised
- Zero-downtime rotation: Create new key before deleting old one
Rotation Process
# 1. Create a new API key
curl -X POST https://api.sardis.sh/api/v2/api-keys \
-H "Authorization: Bearer sk_live_old_key" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Key - 2025-03",
"expires_at": "2025-06-01T00:00:00Z"
}'
# 2. Update your application with the new key
# 3. Verify the new key works
# 4. Revoke the old key
curl -X DELETE https://api.sardis.sh/api/v2/api-keys/{old_key_id} \
-H "Authorization: Bearer sk_live_new_key"
Security Best Practices
Environment Variables
Store API keys in environment variables:
export SARDIS_API_KEY="sk_live_your_api_key"
import os
from sardis_sdk import SardisClient
client = SardisClient(api_key=os.getenv('SARDIS_API_KEY'))
Secrets Managers
Use a secrets manager in production:
- AWS Secrets Manager
- Google Secret Manager
- HashiCorp Vault
- 1Password / Bitwarden
IP Allowlisting
Restrict API key usage to specific IP addresses:
curl -X PATCH https://api.sardis.sh/api/v2/api-keys/{key_id} \
-H "Authorization: Bearer sk_live_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"allowed_ips": [
"203.0.113.0/24",
"198.51.100.42"
]
}'
Testing Authentication
Verify your API key works:
curl https://api.sardis.sh/api/v2/agents \
-H "Authorization: Bearer sk_test_your_test_key"
{
"agents": [],
"total": 0,
"limit": 50,
"offset": 0
}
Troubleshooting
401 Unauthorized
{
"error": {
"code": "unauthorized",
"message": "Invalid API key"
}
}
- Check that your API key is correct
- Ensure you’re using the
Bearer prefix
- Verify the key hasn’t been revoked
- Check you’re using the correct environment (test vs live)
403 Forbidden
{
"error": {
"code": "forbidden",
"message": "API key does not have permission to access this resource"
}
}
- Verify you own the resource you’re trying to access
- Check IP allowlist settings
- Ensure the API key hasn’t expired
Next Steps