Authentication
Sequenceware uses two authentication methods depending on the caller.
API Key (agents / SDK)
Used by agents and SDKs to send events. Pass the key in the X-API-Key header:
curl -X POST http://localhost:3000/v1/events \
-H "Content-Type: application/json" \
-H "X-API-Key: acl_your_api_key" \
-d '{ ... }'
Create API keys from the dashboard: Settings > API Keys > Create.
API keys always start with acl_.
Manage API keys via API
# Create a key (admin only)
curl -X POST http://localhost:3000/v1/api-keys \
-H "Authorization: Bearer $JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "Production agent key"}'
# List keys
curl http://localhost:3000/v1/api-keys \
-H "Authorization: Bearer $JWT_TOKEN"
# Revoke a key
curl -X DELETE http://localhost:3000/v1/api-keys/{id} \
-H "Authorization: Bearer $JWT_TOKEN"
JWT Bearer Token (dashboard / users)
Used by the frontend dashboard and human users. Obtain a token via login:
# Login
curl -X POST http://localhost:3000/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "admin@example.com",
"password": "changeme123"
}'
# Response:
# { "accessToken": "eyJ...", "refreshToken": "..." }
Use the token in subsequent requests:
curl http://localhost:3000/v1/runs \
-H "Authorization: Bearer eyJ..."
Refresh tokens
curl -X POST http://localhost:3000/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refreshToken": "..."}'
Get current user
curl http://localhost:3000/v1/auth/me \
-H "Authorization: Bearer $JWT_TOKEN"
Roles
| Role | Permissions |
|---|---|
admin | Full access: manage policies, users, API keys, settings |
reviewer | Review approvals, view runs and policies, simulate policies |
viewer | Read-only access to runs, audit logs, metrics |
Endpoint authentication summary
| Endpoint | Auth method | Required role |
|---|---|---|
POST /v1/events | API Key | — |
GET /v1/runs, GET /v1/runs/:id | JWT | Any |
GET /v1/approvals | JWT | reviewer, admin |
POST /v1/approvals/:id/approve|reject | JWT | reviewer, admin |
GET /v1/policies | JWT | Any |
GET /v1/policies/:id/versions | JWT | Any |
POST /v1/policies, PATCH, DELETE | JWT | admin |
GET /v1/audit | JWT | Any |
GET /v1/metrics/* | JWT | Any |
POST /v1/api-keys, DELETE | JWT | admin |
GET /v1/users, POST, PATCH, DELETE | JWT | admin |
POST /v1/webhooks, DELETE | JWT | admin |
GET /health | None | — |
POST /v1/auth/login, /register | None | — |