Authentication

View as Markdown

The Krenalis API uses API keys for authenticating requests. You can manage these keys through the Krenalis Admin console. The API keys utilize HTTP Bearer Authentication.

When accessing resources within a workspace, you can specify the workspace ID by passing the Krenalis-Workspace header.

Restricted keys

API keys can be optionally restricted to a specific workspace during their creation. A restricted key can only be used within the assigned workspace. In this case, you do not need to include the Krenalis-Workspace header in your request.

Authenticated request
curl https://example.com/v1/connections \
-H "Authorization: Bearer <YOUR_API_KEY>"
Authenticated request with explicit workspace ID
curl https://example.com/v1/connections \
-H "Authorization: Bearer <YOUR_API_KEY>"
-H "Krenalis-Workspace: <WORKSPACE_ID>"

Event write keys

To send events, it is strongly recommended to use an event write key, a limited credential designed specifically for event ingestion. It is tied to a single source connection, such as SDKs and webhooks, and provides access only to event ingestion endpoints:

Browser and server usage

You can call event ingestion endpoints from server applications and from client apps (web and mobile). For browser-based requests, these endpoints support CORS. In most cases, the JavaScript SDK handles this automatically.

Creating and managing event write keys

For SDK and webhook source connections, you can manage event write keys in the Krenalis Admin console or via the Event write keys API.

Authenticated request with an event write key
curl https://example.com/v1/events \
-H "Authorization: Bearer <YOUR_WRITE_KEY>"

Organizations API key

The Organizations API uses a dedicated key type — the organizations API key — instead of the standard API key. Unlike API keys and event write keys, which are created and managed by Krenalis itself, the organizations API key must be generated externally and supplied to the Krenalis installation via an environment variable. If the key is not provided, the Organizations API is disabled entirely.

The key is a string starting with org_ followed by 43 random alphanumeric characters and must be passed as a Bearer token in the Authorization header. The following is an example of a shell command that uses the python command to generate a valid organizations API key:

python -c "import string, secrets; alphabet=string.ascii_letters+string.digits; print('org_'+''.join(secrets.choice(alphabet) for i in range(43)))"
Authenticated request with an organizations API key
curl https://example.com/v1/organizations \
-H "Authorization: Bearer <YOUR_ORG_KEY>"