Inkeep Chat APIAuthentication
Run API Authentication
Copy page
Authentication modes for Run API
The Run API (agents-run-api
) has three authentication modes depending on your environment configuration:
Development Mode
When ENVIRONMENT=development
:
- No API key required
- Must include scope headers:
x-inkeep-tenant-id
x-inkeep-project-id
x-inkeep-graph-id
Standard Mode
When ENVIRONMENT≠development
and INKEEP_AGENTS_RUN_API_BYPASS_SECRET
is not set:
- Use API keys created from the Manage UI
- No additional headers required (scope encoded in key)
Bypass Mode
When ENVIRONMENT≠development
and INKEEP_AGENTS_RUN_API_BYPASS_SECRET
is set:
Option 1: Bypass Secret
- Use the bypass secret as token
- Must include scope headers
Option 2: Standard API Keys remain valid
- Use API keys from the Manage UI
Running Multiple Instances
You can run multiple Run API instances with different auth configurations. If you're deploying Inkeep Agents to production, it is common to only expose the deployment of Run API in standard mode and all other services remain internal.
Security Best Practices
- Production: Always use Standard API keys
- Bypass Secret: Use for internal services only
- API Keys: Rotate regularly and set expiration dates