currai
{ blog: "/blog", docs: "/docs" }
Join the waitlist

Authentication

Create a public/secret API key pair and authenticate ingestion requests with HTTP Basic auth.

Every request to Currai's ingestion API is authenticated with a public/secret key pair scoped to a workspace. The SDKs handle the auth header for you; this page explains where keys come from and how the raw HTTP auth works if you call the API directly.

Create an API key

  1. Open your workspace Settings → API keys.
  2. Click Create key. Currai generates a pair:
    • a public key of the form pk-lf-…
    • a secret key of the form sk-lf-…
  3. Copy the secret key now — it is shown once. Afterwards only a short display prefix is stored, so Currai can show you which key is which without ever keeping the secret in plaintext.

Keys belong to a workspace and can be revoked at any time. Creating and revoking keys requires the workspace admin role.

How auth works

Ingestion uses HTTP Basic auth: the public key is the username and the secret key is the password.

Authorization: Basic base64(publicKey:secretKey)

The SDKs build this header automatically from publicKey / secretKey. The OpenTelemetry endpoint accepts the same Basic credentials (or a Bearer secret key) — see OpenTelemetry.

On the server, Currai hashes the secret key and compares it against the stored hash; the plaintext secret never leaves your machine after creation. An invalid or expired key returns 401 Unauthorized.

Keep keys out of source

Read keys from the environment, never from committed code:

const currai = new Currai({
  publicKey: process.env.CURRAI_PUBLIC_KEY!,
  secretKey: process.env.CURRAI_SECRET_KEY!,
});

With keys in hand, send your first trace.

Typewriter with expand code snippet
Join the waitlist