Skip to main content

Authentication

All API requests must include your API key in the Api-Key header.

API Keys

API keys are scoped to your organization and can be created in the Dashboard.
EnvironmentKey PrefixDescription
Developmentlk_dev_For testing and development
Productionlk_live_For live transactions
Security Best Practices
  • Never expose API keys in client-side code
  • Don’t commit keys to version control
  • Rotate keys periodically
  • Use separate keys for development and production

Making Authenticated Requests

Include your API key in the Api-Key header: 
curl https://api.useproxy.ai/v1/agents \
  -H "Api-Key: lk_dev_your_api_key"

Error Responses

Missing API Key

{
  "error": {
    "type": "authentication_error",
    "code": "missing_api_key",
    "message": "Missing Api-Key header"
  },
  "request_id": "req_abc123"
}
Status: 401 Unauthorized

Invalid API Key

{
  "error": {
    "type": "authentication_error",
    "code": "invalid_api_key",
    "message": "Invalid API key"
  },
  "request_id": "req_abc123"
}
Status: 401 Unauthorized

Error Codes Reference

See all error codes and troubleshooting tips

How Agents Authenticate

Agents don’t have their own API keys. Your organization’s API key is used for all operations, including those on behalf of agents. 
Organization (owns API key)
    └── API Key authenticates ALL requests
          └── Register agents, issue cards, retrieve credentials
This is a delegated trust model:
  1. Your backend holds the org API key (never expose to clients)
  2. Your AI agent requests card credentials through your backend
  3. Your backend calls Proxy API with the org key
  4. Attestation creates an audit trail of what the agent claimed
Agents are logical identities for organizing spending limits and audit trails — not separate authenticated principals.

Rate Limits

API requests are rate-limited per organization:
OperationRateBurst
Read (GET)100/min20
Write (POST/PATCH/DELETE)30/min10
Card Creation10/min5
When rate limited, you’ll receive: 
{
  "error": {
    "type": "rate_limit_error",
    "code": "rate_limit_exceeded",
    "message": "Rate limit exceeded. Retry after 5 seconds."
  },
  "request_id": "req_abc123"
}
Status: 429 Too Many Requests Headers:
  • Retry-After: Seconds until you can retry

Request IDs

Every API response includes a unique request ID in the X-Request-Id header and response body. Include this when contacting support. 
curl -i https://api.useproxy.ai/v1/agents \
  -H "Api-Key: lk_dev_your_api_key"

# Response headers include:
# X-Request-Id: req_abc123def456

Idempotency

For POST requests, you can include an Idempotency-Key header to ensure the request is only processed once: 
curl -X POST https://api.useproxy.ai/v1/agents/register \
  -H "Api-Key: lk_dev_your_api_key" \
  -H "Idempotency-Key: unique-request-id-123" \
  -H "Content-Type: application/json" \
  -d '{"externalId": "my-agent", "userId": "user_abc", "name": "My Agent"}'
If you retry with the same idempotency key within 24 hours, you’ll receive the original response.

Managing API Keys

Create a Key

  1. Go to Dashboard
  2. Navigate to Settings > API Keys
  3. Click Create Key
  4. Name your key and set expiration (optional)
  5. Copy the key immediately (it won’t be shown again)

Revoke a Key

  1. Go to Settings > API Keys
  2. Find the key you want to revoke
  3. Click Revoke
Revoking a key is immediate and permanent. Any requests using that key will fail.

Base URL

All API requests should be made to: 
https://api.useproxy.ai
The same base URL is used for both development (lk_dev_) and production (lk_live_) keys. The key prefix determines the environment.
Use development keys for testing. No real charges are made and you can use test credentials.