Skip to main content

Authentication

Amrood uses API keys for authentication. There are two modes:

Platform Authentication

Used by developers making server-to-server calls. Grants access to all agents under the platform. 
x-platform-id: plt_abc123
x-platform-secret: sk_live_xxxxx
Platform keys can:
  • Create and manage owners
  • Create and manage agents
  • Access any agent’s wallet and transactions
  • Update spend policies

Agent Authentication

Used by AI agents making their own calls. Scoped to a single agent’s wallet. 
x-agent-key: agk_live_xxxxx
Agent keys can:
  • Check their own balance
  • Fund their wallet
  • Make payments
  • View their transaction history
Agent keys cannot:
  • Access other agents’ data
  • Create owners or agents
  • Override spend policies

Security

  • All API keys are hashed with bcrypt before storage — raw keys are never persisted
  • Keys are returned exactly once at creation time
  • Rate limiting: 100 req/min per agent, 1000 req/min per platform
  • All transactions require an idempotency_key to prevent duplicate processing

Error Responses

Invalid or missing credentials return: 
{
  "error": {
    "code": "authentication_error",
    "message": "Invalid or missing API key"
  }
}