Skip to main content

Authentication

Outter supports two primary authentication methods for secure API access: API Key authentication for server-to-server or programmatic access, and JWT (JSON Web Token) authentication for user-based access (e.g., when acting on behalf of an authenticated user in a client app). All API requests must include one of these authentication credentials; unauthenticated requests will be rejected at the gateway level.

API Key Authentication

API Keys are the primary method for programmatic access. An API key is a secret token associated with your Outter account (and a specific tenant or project). API keys are issued by the Auth service and are securely stored and hashed. Typically, a tenant administrator can generate an API key via the Outter dashboard or an API endpoint. For example, Outter provides an endpoint such as POST /api/auth/api-keys (or /api-keys/generate) to create a new API key for your account. The response will include the newly generated key (display it once, since it won't be retrievable again in plaintext for security).

Using API Keys: To authenticate a request with an API key, include it in the request headers. Outter's gateway expects the API key in a header (for example, X-API-Key: <your_api_key>). Example:

GET <https://api.outter.io/v2/ai/content/generate>
X-API-Key: YOUR_API_KEY
Content-Type: application/json

In this example, replace YOUR_API_KEY with the actual key. If the key is valid, Outter’s API Gateway (Kong) will authenticate the request and route it to the appropriate service. If the key is missing or invalid, the gateway immediately rejects the call with an error (HTTP 401 Unauthorized). API keys do not expire by default, so treat them like passwords: keep them secret, rotate them periodically, and scope them to specific roles or environments if possible.

API Key Best Practices:

  • Secure Storage: Store API keys securely (e.g., in environment variables or a secrets manager, not in source code). Outter stores keys hashed in its database for safety.
  • Least Privilege: Generate multiple keys for different applications or services, each with only the necessary permissions.
  • Rotation: Periodically regenerate keys and revoke old ones via the API or dashboard to reduce risk if a key is compromised.