search
Go to website

lockAuthentication

Amigo implements a two-tiered authentication system for secure API access. This guide covers the authentication workflow and best practices.

hashtag
Authentication Flow

spinner

hashtag
Understanding the Two-Step Authentication Process

Amigo uses a two-credential system for secure API access:

  1. Generate an API Key (one-time or rotate periodically)

    • Create via Admin Dashboard or API endpoint

    • Produces: api_key_id and api_key

    • Long-lived credential for machine-to-machine authentication

  2. Exchange API Key for JWT Token (per session/application startup)

    • Call POST /v1/{org}/user/signin_with_api_key with API key credentials

    • Returns: jwt (JSON Web Token)

    • Short-lived token representing an authenticated user session

  3. Use JWT in All API Calls

    • Include in header: Authorization: Bearer {jwt}

    • This JWT grants access to conversations, users, and other endpoints

triangle-exclamation

Critical: API Key ≠ JWT Token

Wrong: Authorization: Bearer {api_key}Correct: Authorization: Bearer {jwt}

Never use the API key directly in Bearer headers. Always exchange it for a JWT first via the signin endpoint.

hashtag
Step 1: User and Workspace Creation

Note: This part of the process will be handled for you by an Amigo representative.

  1. Create a User: Begin by setting up a user profile within the desired workspace. This user profile will represent an individual or entity and hold specific privileges and access rights within Amigo.

  2. Set Up a Workspace: Establish or join a workspace, which serves as a collaborative environment for you and others, providing a curated space for data and user activities.

hashtag
Step 2: API Key Generation

  • After setting up the user and workspace, the next step is to create an API key. This key is a unique identifier that allows applications to access the workspace securely and perform operations based on the permissions granted to it. Keep this key secret to prevent unauthorized access.

hashtag
Step 3: Authentication Token Creation

  • Use the generated API key to create an authentication token. This token acts as a pass, granting access to perform actions on behalf of the users it impersonates within Amigo. Tokens are essential for validation, allowing the system to authenticate requests and ensure they are performed by verified entities.

hashtag
Final Notes

  • Security Best Practices: Always safeguard your API keys and authentication tokens. Limit their distribution and rotate them periodically to enhance security.

  • User Impersonation: Leverage the authentication token to carry out tasks simulating the identity of other users, as permitted by their roles and permissions.

hashtag
Regional Endpoints and Dedicated Clusters

  • Use the regional base URL that matches your organization’s residency (US/EU/AU). See Regions & Endpoints for the full list.

  • For tenants on dedicated clusters, include the x-mongo-cluster-name header when instructed (mandatory for Create Organization).

A service account makes API Keys for using other services. When your organization is set up in Amigo, an Admin user is created for adding more users.

To confirm you're logged in as the Admin role, confirm that you can see the tag in the top right corner of the admin dashboard.

hashtag
Generating API Keys

You have two options for generating API keys:

  1. Log in to your service account

  2. Navigate to https://<your-org-id>.amigo.ai/admin/settings

  3. Click Create API Key and select duration

  4. Store the API key and key ID securely (cannot be retrieved later)

circle-exclamation

Permission Boundaries API keys cannot impersonate users with higher privileges than the key creator.

hashtag
Authentication Token Generation

Exchange your API key for a JWT token to authenticate API calls:

hashtag
Sign in with API key

post
/v1/{organization}/user/signin_with_api_key

Given an organization API key, issue an authorization token for the specified user. The token should then be attached to the Authorization header in subsequent Amigo API calls.

This is an alternative authorization method for users who cannot use the Amigo frontend to login and authenticate.

Authorizations
Path parameters
organizationstringRequired
Header parameters
x-api-keystringRequired

The value of the API key.

x-api-key-idstringRequired

The ID of the API key.

x-user-idstringRequired

The ID of the user to sign in as.

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Responses
chevron-right
200

Succeeded.

application/json
id_tokenstringRequired

The ID token that should be attached to the Authorization header for future API calls.

expires_atstring · date-timeRequired

The time at which the token expires.

post
/v1/{organization}/user/signin_with_api_key

hashtag
Testing with Postman or Scalar

When testing with API clients like Postman, Scalar, or Insomnia:

hashtag
Quick Start Flow

  1. Generate API key using one of the methods above (you'll get api_key, api_key_id, and need your user_id)

  2. Call signin endpoint to exchange for JWT (see embedded reference above)

  3. Use JWT as Bearer token for all other API calls

circle-exclamation

Critical: Signin Endpoint Uses Headers

When calling /user/signin_with_api_key, pass credentials as HTTP headers (not request body):

  • x-api-key: {your-api-key}

  • x-api-key-id: {your-api-key-id}

  • x-user-id: {your-user-id}

The response will contain: { "jwt": "..." }

circle-info

Where to find credentials:

  • api_key, api_key_id, user_id: All available at https://<your-org-id>.amigo.ai/admin/settings/api-keys

  • user_id: Also available in user details at https://<your-org-id>.amigo.ai/admin/users/{user_id}

Once you have the JWT, use it for all subsequent requests:

hashtag
CLI Authentication (Agent Forge)

When using the Agent Forge CLI, authentication is configured via environment variables in your .env.{env} file. Two methods are supported:

hashtag
Method 1: API Key Authentication

Set all three API key variables to use API key auth. This method also supports user impersonation via the --user flag.

hashtag
Method 2: Firebase Authentication (Recommended)

Set GOOGLE_TENANT_ID (and omit API key fields) to use Firebase-based Google Sign-In with device code flow. Tokens are cached in the system keyring and refresh automatically.

circle-info

Auth Method Selection: The CLI automatically selects the auth method based on which environment variables are present. If all three API key fields are set, API key auth is used. Otherwise, Firebase auth is used. Subsequent commands reuse cached tokens and refresh them silently.

circle-exclamation

Impersonation Limitation: The --user flag on conversation commands (smoke-test, simulate, simulate-step) requires API key authentication. Firebase auth does not support user impersonation.

hashtag
Security Best Practices

hashtag
API Key Rotation

  1. Create new keys before current keys expire

  2. Transition applications to use new credentials

  3. Revoke old keys after successful transition

  4. Automate rotation to prevent authentication failures

hashtag
Additional Security Measures

  • Environment Variables — Never hardcode credentials

  • Access Control — Use principle of least privilege

  • Audit Logs — Monitor API key usage

  • Secure Storage — Use secret management solutions

PreviousCore ConceptsNextRegions & Endpoints

Last updated

Was this helpful?