Overview
The AgentHuman Client API (/v1/*) supports two authentication methods:
- JWT Authentication (Cookie-based) - Used for agent management endpoints
- API Key Authentication - Used for session and message endpoints
Getting Your API Key
Option 1: Web Dashboard
- Sign in to your account at app.agenthuman.com
- Navigate to Settings → API Keys
- Click “Create New API Key”
- Give your key a descriptive name
- Copy and securely store your key
Option 2: Programmatic Access
You can also manage API keys programmatically after authentication:- Create API Key - Generate new API keys
- List API Keys - View existing keys
- See the Authentication endpoints for OTP and JWT-based authentication
Authentication Methods
1. JWT Authentication
JWT authentication is used for agent management endpoints. Include the JWT token in theAuthorization header:
- Agent CRUD operations (
/v1/agents) - User-specific resources for avatars, voices, and roles
2. API Key Authentication
API key authentication is used for session and message endpoints. Include your API key in thex-api-key header:
- Session management (
/v1/sessions) - Message endpoints (
/v1/sessions/{id}/messages) - Public resource lists (avatars, voices, roles)
API Key Format
AgentHuman API keys follow a consistent format:ah_- Prefix identifying an AgentHuman keyenvironment- Eitherlivefor production ortestfor testingrandom_string- A unique 32-character string
- Production:
ah_live_1234567890abcdefghijklmnopqrstuv - Test:
ah_test_1234567890abcdefghijklmnopqrstuv
Environment Variables
For security, store API keys in environment variables:Security Best Practices
Do’s ✅
- Store API keys in environment variables or secure key management systems
- Use different keys for different environments (development, staging, production)
- Rotate keys regularly
- Monitor key usage for unusual activity
- Revoke compromised keys immediately
Don’ts ❌
- Hard-code API keys in your source code
- Commit API keys to version control
- Share API keys via email or chat
- Use API keys in client-side JavaScript
- Log or display API keys in error messages
Key Management
Rotating Keys
Regularly rotate your API keys for enhanced security:- Create a new API key
- Update your application to use the new key
- Test thoroughly
- Delete the old key
Revoking Keys
If a key is compromised:- Sign in to your account immediately
- Navigate to Settings → API Keys
- Find the compromised key
- Click “Delete” to revoke it instantly
- Create a new key if needed
Error Responses
Invalid API Key
401 Unauthorized
Missing API Key
401 Unauthorized
Expired or Revoked Key
401 Unauthorized
Testing Authentication
Using the API Playground
The easiest way to test your API key is using the built-in API Playground:- Navigate to any API endpoint documentation page
- Look for the “API Playground” section
- Enter your API key in the x-api-key field
- Fill in any required parameters
- Click “Send Request” to test the endpoint
The API Playground will automatically include your API key in all requests once entered.
Manual Testing
You can also test your API key with these simple requests:Need Help?
If you’re having authentication issues:- Verify your API key is correct and hasn’t been revoked
- Check that you’re using the correct header name (
x-api-key) - Ensure you’re using HTTPS for all requests
- Contact support at [email protected] if issues persist