Authentication

SwarmStack uses Bearer token authentication to secure all API endpoints. This guide covers how to obtain, use, and manage your API tokens.

Bearer Tokens

All authenticated API requests must include a valid Bearer token in the Authorization header.

http

Authorization: Bearer sk-swarm-your-api-key-here

Token Format

SwarmStack API keys follow the format:

text

sk-swarm-{environment}-{random-hex-string}

Where:

sk-swarm - Standard prefix for all SwarmStack keys
{environment} - Either prod or dev
{random-hex-string} - 64-character unique identifier

Making Authenticated Requests

Using cURL

bash

curl -H "Authorization: Bearer sk-swarm-prod-xxxxx" \
     "https://api.swarmstack.net/api/ls?path=/opt/swarm"

Using JavaScript (fetch)

javascript

const response = await fetch('https://api.swarmstack.net/api/ls?path=/opt/swarm', {
  headers: {
    'Authorization': 'Bearer sk-swarm-prod-xxxxx'
  }
});
const data = await response.json();

Using Python (requests)

python

import requests

headers = {
    'Authorization': 'Bearer sk-swarm-prod-xxxxx'
}

response = requests.get(
    'https://api.swarmstack.net/api/ls',
    params={'path': '/opt/swarm'},
    headers=headers
)
data = response.json()

Authentication Errors

When authentication fails, the API returns one of these responses:

Status Code	Error	Description
`401`	Missing token	No Authorization header provided
`401`	Invalid token	Token format is incorrect or doesn't match
`403`	Token expired	The token has been revoked or expired

Error Response Format

json

{
  "error": "Unauthorized",
  "message": "Invalid or missing authentication token"
}

Security Best Practices

⚠️ Never Expose Your API Keys

Do not commit API keys to version control or expose them in client-side code.

Environment Variables

Store your API key in environment variables:

bash

# Add to your shell profile (.bashrc, .zshrc, etc.)
export SWARM_API_KEY="sk-swarm-prod-xxxxx"

# Use in scripts
curl -H "Authorization: Bearer $SWARM_API_KEY" \
     "https://api.swarmstack.net/api/health"

Key Rotation

For security, you should rotate your API keys periodically:

Generate a new API key from your dashboard
Update all applications using the old key
Revoke the old key once migration is complete
Never keep both keys active longer than necessary

IP Allowlisting

For production deployments, consider restricting API access to specific IP addresses. Contact support to enable IP allowlisting for your account.

✓ Security Checklist

Use environment variables • Never commit keys • Rotate regularly • Use HTTPS only • Monitor usage

Public Endpoints

Some endpoints don't require authentication:

Endpoint	Method	Description
`/api/health`	GET	API status and uptime
`/api/waitlist`	POST	Join the beta waitlist