Authenticate against the current api-server with API keys, JWT access tokens, local login, and OAuth. The current api-server exposes three authentication patterns:
  • API keys for machine-to-machine access through X-API-Key
  • JWT bearer tokens returned by POST /auth/login and POST /auth/refresh
  • Browser-based OAuth through GET /auth/google and GET /auth/github
X-API-Key: your_api_key

Local Login

POST /auth/login uses the local auth strategy and accepts:
  • username
  • password
On success, the response includes accessToken, refreshToken, and a user payload. 
curl -X POST https://api.agentenv.io/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "demo_user",
    "password": "change_me"
  }'

API Keys

API keys are created with POST /auth/api-keys and then validated automatically by JwtAuthGuard when the request includes X-API-Key. 
curl -X GET https://api.agentenv.io/v1/auth/profile \
  -H "X-API-Key: $AGENTENV_API_KEY"

OAuth And TOTP

  • GET /auth/google and GET /auth/github start browser-based OAuth flows.
  • If TOTP is enabled for the user, the API exposes /auth/totp/setup, /auth/totp/verify, /auth/totp/verify-setup, and /auth/totp/disable.
  • Workspace-scoped Google integrations are managed separately under /workspaces/{workspaceId}/oauth-connections/google.

Next Pages