Authentication
Authenticate to the B3OS API with user sessions, API keys, service accounts, and organization context.
B3OS supports human user sessions for the app and scoped API keys for backend automation. API keys are the recommended path for server-to-server integrations.
Bearer Authentication
Send credentials in the Authorization header:
httpAuthorization: Bearer YOUR_API_KEY
API Keys
API keys:
| Property | Behavior |
|---|---|
| Prefix | Raw keys use the b3sk_ prefix |
| Storage | B3OS stores hashes, not raw keys |
| Reveal | The raw key is shown once at creation |
| Scope | Keys are scoped, commonly read or read-write |
| Revocation | Keys can be revoked without deleting historical records |
| Organization | Keys are associated with an organization context |
Copy the key into a secret manager immediately. B3OS cannot retrieve and display the raw key later.
Scopes
| Scope | Intended use |
|---|---|
read | Dashboards, reporting, status checks, run inspection, workflow inventory |
read-write | Backend automation that creates, updates, publishes, or executes workflows and manages related operational resources |
read-write grants broad build and operate capabilities. Use separate keys per service so rotation and auditing are straightforward.
Organization Context
API keys are bound to organization access. User-session requests may also require explicit organization context depending on the route and app state.
When an endpoint requires an organization header, send:
httpX-Org-ID: org_123
For server-to-server integrations, prefer organization-scoped API keys over reusing browser session credentials.
Service Accounts
Use service accounts when the actor is a system rather than a person. Pair each service account with keys scoped to the minimum operations it needs.
Safe Key Practices
- Create one key per service or environment.
- Store keys in a secret manager.
- Never expose keys in browser or client bundles.
- Rotate keys when ownership or deployment access changes.
- Revoke unused keys.
- Use
readkeys for dashboards and reporting. - Use
read-writekeys only when automation needs writes or execution.
Example Request
bashcurl -X POST https://api.b3os.org/v1/workflows/wf_123/run \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "input": { "asset": "USDC", "amount": "100" } }'