Safe AI Workbench Developer DocsAI-powered workspace with PHI protectionHIPAA-compliant API
Authentication
Learn how to authenticate your API requests using API keys or JWT tokens
API Key Authentication
Safe AI Workbench uses Bearer token authentication. Include your API key in the Authorization header:
Authorization: Bearer YOUR_API_KEYYou can find your API key on your dashboard. API keys start with gha_.
JWT Token Authentication
For browser-based applications, authenticate users with JWT tokens obtained after login:
// Login with email/password or passkey
const loginRes = await fetch('/api/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: 'user@example.com',
password: 'your_password'
})
});
const { token } = await loginRes.json();
// Use token in subsequent requests
const chatRes = await fetch('/api/ai/chat', {
method: 'POST',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({ ... })
});JWT tokens are short-lived (24 hours) and automatically include user context (org, groups, roles).
Passkey (WebAuthn) Authentication
Users can authenticate with passkeys for passwordless, phishing-resistant login:
- Supported on modern browsers (Chrome, Safari, Edge, Firefox)
- Uses device biometrics (Face ID, Touch ID, Windows Hello)
- No password to remember or compromise
- FIDO2/WebAuthn compliant
Users can enroll passkeys from their account settings after initial login.
Security Best Practices
✅ DO:
- Store API keys securely in environment variables
- Use HTTPS for all API requests
- Rotate API keys periodically
- Use separate keys for development and production
❌ Don’t:
- Commit API keys to version control
- Share API keys in public forums or support tickets
- Use API keys in client-side JavaScript
- Hardcode API keys in your application
API Key Compromised?
If you believe your API key has been exposed, regenerate it immediately from your dashboard. This will invalidate the old key.