Authentication
Amigo implements a two-tiered authentication system for secure API access. This guide covers the authentication workflow and best practices.
Authentication Flow
Understanding the Two-Step Authentication Process
Amigo uses a two-credential system for secure API access:
Generate an API Key (one-time or rotate periodically)
Create via Admin Dashboard or API endpoint
Produces:
api_key_idandapi_keyLong-lived credential for machine-to-machine authentication
Exchange API Key for JWT Token (per session/application startup)
Call
POST /v1/{org}/user/signin_with_api_keywith API key credentialsReturns:
jwt(JSON Web Token)Short-lived token representing an authenticated user session
Use JWT in All API Calls
Include in header:
Authorization: Bearer {jwt}This JWT grants access to conversations, users, and other endpoints
Critical: API Key ≠ JWT Token
❌ Wrong: Authorization: Bearer {api_key} ✅ Correct: Authorization: Bearer {jwt}
Never use the API key directly in Bearer headers. Always exchange it for a JWT first via the signin endpoint.
Step 1: User and Workspace Creation
Note: This part of the process will be handled for you by an Amigo representative.
Create a User: Begin by setting up a user profile within the desired workspace. This user profile will represent an individual or entity and hold specific privileges and access rights within Amigo.
Set Up a Workspace: Establish or join a workspace, which serves as a collaborative environment for you and others, providing a curated space for data and user activities.
Step 2: API Key Generation
After setting up the user and workspace, the next step is to create an API key. This key is a unique identifier that allows applications to access the workspace securely and perform operations based on the permissions granted to it. Keep this key secret to prevent unauthorized access.
Step 3: Authentication Token Creation
Use the generated API key to create an authentication token. This token acts as a pass, granting access to perform actions on behalf of the users it impersonates within Amigo. Tokens are essential for validation, allowing the system to authenticate requests and ensure they are performed by verified entities.
Final Notes
Security Best Practices: Always safeguard your API keys and authentication tokens. Limit their distribution and rotate them periodically to enhance security.
User Impersonation: Leverage the authentication token to carry out tasks simulating the identity of other users, as permitted by their roles and permissions.
Regional Endpoints and Dedicated Clusters
Use the regional base URL that matches your organization’s residency (US/EU/AU). See Regions & Endpoints for the full list.
For tenants on dedicated clusters, include the
x-mongo-cluster-nameheader when instructed (mandatory for Create Organization).
A service account makes API Keys for using other services. When your organization is set up in Amigo, an Admin user is created for adding more users.
To confirm you're logged in as the Admin role, confirm that you can see the tag in the top right corner of the admin dashboard.
Generating API Keys
You have two options for generating API keys:
Log in to your service account
Navigate to
https://<your-org-id>.amigo.ai/admin/settingsClick Create API Key and select duration
Store the API key and key ID securely (cannot be retrieved later)
Permission Boundaries API keys cannot impersonate users with higher privileges than the key creator.
Authentication Token Generation
Exchange your API key for a JWT token to authenticate API calls:
Given an organization API key, issue an authorization token for the specified user. The token should then be attached to the Authorization header in subsequent Amigo API calls.
This is an alternative authorization method for users who cannot use the Amigo frontend to login and authenticate.
The value of the API key.
The ID of the API key.
The ID of the user to sign in as.
The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.
[]Succeeded.
API key not found, is incorrect, or the requested user is not found.
Specified organization is not found.
Invalid request path parameter failed validation.
The user has exceeded the rate limit of 5 requests per minute for this endpoint.
The service is going through temporary maintenance.
POST /v1/{organization}/user/signin_with_api_key HTTP/1.1
Host: api.amigo.ai
x-api-key: text
x-api-key-id: text
x-user-id: text
Accept: */*
{
"id_token": "text",
"expires_at": "2025-12-03T06:08:29.581Z"
}Testing with Postman or Scalar
When testing with API clients like Postman, Scalar, or Insomnia:
Quick Start Flow
Generate API key using one of the methods above (you'll get
api_key,api_key_id, and need youruser_id)Call signin endpoint to exchange for JWT (see embedded reference above)
Use JWT as Bearer token for all other API calls
Critical: Signin Endpoint Uses Headers
When calling /user/signin_with_api_key, pass credentials as HTTP headers (not request body):
x-api-key: {your-api-key}x-api-key-id: {your-api-key-id}x-user-id: {your-user-id}
The response will contain: { "jwt": "..." }
Once you have the JWT, use it for all subsequent requests:
Authorization: Bearer {jwt-from-signin-response}Security Best Practices
API Key Rotation
Create new keys before current keys expire
Transition applications to use new credentials
Revoke old keys after successful transition
Automate rotation to prevent authentication failures
Additional Security Measures
Environment Variables — Never hardcode credentials
Access Control — Use principle of least privilege
Audit Logs — Monitor API key usage
Secure Storage — Use secret management solutions
Last updated
Was this helpful?