API Keys
Learn how to authenticate requests with API keys.
The Augno API uses API keysAPI to authenticate requests. You can view and manage your API keys in the Dashboard. If a request to the API does not include a valid API key, we will return an invalid request error. If the provided API key is expired, revoked, or deleted we will return an authentication error.
Key Types
There are two types of API keys:
| Type | Prefix | Description |
|---|---|---|
| Sandbox secret key | aug_sk_test_ | Authenticate requests on your server when you're testing in a sandbox. By default, this key is provided admin privileges so you can use this key to perform any API request without restriction. Reserve this key for testing and development to make sure you don't accidentally modify your production data. |
| Production secret key | aug_sk_prod_ | Authenticate requests on your server when in production mode. You can create and configure these API keys with custom levels of permissions up to admin privileges. |
Your API keys can be found in the Dashboard. Only a user with admin privileges can create new API keys.
Documentation API Keys
If you're logged in to Augno, our documentation populates code examples with a sandbox API key that only you can see. This sandbox API key is generated the first time you or a member of your account visits the Augno docs while logged in. These are clearly denoted in the Dashboard with the name Doc API Key [System Generated]. These keys are short-lived and will expire and rotate automatically every 30 days. However, should you wish to turn off this feature, simply revoke the API key in the Dashboard and it will immediately be revoked and will no longer auto-populate in the docs. This process is handled on a per-sandbox basis, meaning that you must revoke the system-generated API key on each sandbox that you wish not to auto-populate in the docs.
If you're not logged in, our code examples will clearly indicate where your API key should go with "YOUR_API_KEY".
Since you are not logged in, the following uses placeholder API keys:
| Type | Value | When to Use |
|---|---|---|
| Secret | aug_sk_test_AM4B...WNXD | Server-Side Security: To call Augno APIs, store your secret key securely within your server environment (e.g., environment variables or a credential manager). Never expose this key in client-side code, websites, or mobile binaries. Additionally, you should apply the principle of least privilege by restricting the key's permissions to only the specific actions your server requires. |
// Example client setup for YOUR_ACCOUNT_NAME
const augno = new AugnoClient({
apiKey: 'YOUR_API_KEY',
});
// Example client setup for YOUR_ACCOUNT_NAME
const augno = new AugnoClient({
apiKey: 'YOUR_API_KEY',
});
Using API Keys
Include your API key in the Authorization header using one of these schemes:
Bearer (recommended):
Authorization: Bearer YOUR_API_KEY
Authorization: Bearer YOUR_API_KEY
Basic:
Authorization: Basic <base64(YOUR_API_KEY:)>
Authorization: Basic <base64(YOUR_API_KEY:)>
Note: When using Basic authentication, the API key is the username and the password must be empty (include the trailing colon before base64 encoding).
Account Context
By default, API requests operate on the account that owns the API key. To target a different account (such as a connected customer or supplier account), include the target account ID header:
Augno-Account: YOUR_ACCOUNT_ID
Augno-Account: YOUR_ACCOUNT_ID
The API key must have permission to access the target account through an established relationship.
Permissions
Each API key is associated with a role that defines its permissions. Permissions are organized by resource domain (e.g., products, orders, production-runs) with standard CRUD actions (create, read, update, delete).
When creating an API key, assign a role with the minimum permissions required for your integration.
Security
- Storage: The full API key is shown once at creation and cannot be retrieved afterward. Store it securely.
- Display: In API responses and logs, keys are masked to show only the last 4 characters of the secret (e.g.,
aug_sk_prod_****UCZu). - Expiration: API keys can be created with an optional expiration date. Expired keys are automatically rejected.
- Revocation: API keys can be revoked at any time. Revoked keys are immediately rejected.
- Usage tracking: All requests attempted with an API key are logged.