Files
wehub-resource-sync 426e9eeabd
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
Chat shell gestures / Chat shell gesture + parity e2e (push) Has been cancelled
Cloud Gateway Discord / Test (push) Has been cancelled
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Has been cancelled
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Has been cancelled
Build Agent Image / build-and-push (push) Has been cancelled
Dev Smoke / bun run dev onboarding chat (push) Has been cancelled
Dev Smoke / Vite HMR dependency-level smoke (push) Has been cancelled
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Has been cancelled
Publish @elizaos/example-code / check_npm (push) Has been cancelled
Publish @elizaos/example-code / publish_npm (push) Has been cancelled
Publish @elizaos/plugin-elizacloud / verify_version (push) Has been cancelled
Publish @elizaos/plugin-elizacloud / publish_npm (push) Has been cancelled
Sandbox Live Smoke / Sandbox live smoke (push) Has been cancelled
Snap Build & Test / Build Snap (amd64) (push) Has been cancelled
Snap Build & Test / Build Snap (arm64) (push) Has been cancelled
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Has been cancelled
Cloud Gateway Webhook / Test (push) Has been cancelled
Cloud Tests / lint-and-types (push) Has been cancelled
Cloud Tests / unit-tests (push) Has been cancelled
Cloud Tests / integration-tests (push) Has been cancelled
Cloud Tests / e2e-tests (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Deploy Apps Worker (Product 2) / Determine environment (push) Has been cancelled
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Has been cancelled
Deploy Eliza Provisioning Worker / Determine environment (push) Has been cancelled
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Has been cancelled
Dev Smoke / Classify changed paths (push) Has been cancelled
supply-chain / sbom (push) Has been cancelled
supply-chain / vulnerability-scan (push) Has been cancelled
Build, Push & Deploy to Phala Cloud / build-and-push (push) Has been cancelled
Test Packaging / Validate Packaging Configs (push) Has been cancelled
Test Packaging / Build & Test PyPI Package (push) Has been cancelled
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Has been cancelled
Test Packaging / Pack & Test JS Tarballs (push) Has been cancelled
UI Fixture E2E / ui-fixture-e2e (push) Has been cancelled
UI Fixture E2E / fixture-e2e (push) Has been cancelled
UI Story Gate / story-gate (push) Has been cancelled
vault-ci / test (macos-latest) (push) Has been cancelled
vault-ci / test (ubuntu-latest) (push) Has been cancelled
vault-ci / test (windows-latest) (push) Has been cancelled
vault-ci / app-core wiring tests (push) Has been cancelled
verify-patches / verify patches/CHECKSUMS.sha256 (push) Has been cancelled
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Has been cancelled
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Has been cancelled
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Has been cancelled
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Has been cancelled
Voice Benchmark Smoke / voice bench smoke summary (push) Has been cancelled
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Has been cancelled
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Has been cancelled
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Has been cancelled
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Has been cancelled
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:43:05 +08:00

290 lines
7.8 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: Authentication
description: Learn how to authenticate with elizaOS Cloud APIs using API keys, session tokens, wallet signatures (SIWE and per-request), and x402 payments.
---
# Authentication
Secure your API requests with elizaOS Cloud authentication methods.
## Overview
elizaOS Cloud supports multiple authentication methods:
| Method | Use Case | Header / flow |
| ---------------- | --------------------------- | -------------------------------------------------- |
| **API Key** | Server-to-server | `Authorization: Bearer eliza_xxx` or `X-API-Key` |
| **Session** | Browser apps | Cookie-based (Steward) |
| **SIWE** | Wallet sign-in, get API key | GET nonce → sign message → POST verify → use key |
| **Wallet header**| Per-request wallet auth | `X-Wallet-Address`, `X-Timestamp`, `X-Wallet-Signature` |
| **x402** | Crypto payments | `X-PAYMENT: ...` |
## API Keys
### Creating an API Key
1. Navigate to [Dashboard → API Keys](https://elizacloud.ai/dashboard/api-keys)
2. Click "Create API Key"
3. Name your key and set permissions
4. Copy and securely store the key
<Warning>
API keys are shown only once. Store them securely immediately after creation.
</Warning>
### Using API Keys
<Tabs>
<Tab title="cURL">
```bash
curl -X GET "https://elizacloud.ai/api/v1/dashboard" \
-H "Authorization: Bearer eliza_xxxxxxxxxxxx"
```
</Tab>
<Tab title="JavaScript">
```javascript
const response = await fetch('https://elizacloud.ai/api/v1/dashboard', {
headers: {
'Authorization': 'Bearer eliza_xxxxxxxxxxxx',
},
});
```
</Tab>
<Tab title="Python">
```python
import requests
response = requests.get(
'https://elizacloud.ai/api/v1/dashboard',
headers={'Authorization': 'Bearer eliza_xxxxxxxxxxxx'}
)
```
</Tab>
</Tabs>
### Key Prefix
API keys use the `eliza_` prefix. The same header formats work for dashboard,
server, CLI, and wallet-issued keys.
### Key Permissions
Restrict keys to specific endpoints:
```json
{
"name": "Production Chat Key",
"permissions": [
"chat:read",
"chat:write",
"embeddings:read"
],
"rateLimit": 100
}
```
### Available Permissions
Permissions can be used to restrict what operations an API key can perform.
| Permission | Description |
| ------------ | ------------------- |
| `chat` | Chat completions |
| `embeddings` | Generate embeddings |
| `images` | Image generation |
| `video` | Video generation |
| `voice` | Voice/TTS |
| `knowledge` | Knowledge base |
| `agents` | Agent management |
| `apps` | App management |
<Info>
If no permissions are specified when creating an API key, the key has access
to all endpoints by default. Use permissions to create restricted keys for
specific use cases.
</Info>
## API Key Management
### List Keys
```bash
curl -X GET "https://elizacloud.ai/api/v1/api-keys" \
-H "Authorization: Bearer eliza_xxxxxxxxxxxx"
```
### Regenerate Key
```bash
curl -X POST "https://elizacloud.ai/api/v1/api-keys/{id}/regenerate" \
-H "Authorization: Bearer eliza_xxxxxxxxxxxx"
```
### Revoke Key
```bash
curl -X DELETE "https://elizacloud.ai/api/v1/api-keys/{id}" \
-H "Authorization: Bearer eliza_xxxxxxxxxxxx"
```
## Session Authentication
For browser-based applications, sign in through Steward (hosted login). After login,
the app stores the Steward session and sets HTTP-only cookies; API calls use `credentials: "include"`.
```javascript
import { useSessionAuth } from "@/lib/hooks/use-session-auth";
function MyComponent() {
const { authenticated } = useSessionAuth();
const makeApiCall = async () => {
const response = await fetch("https://elizacloud.ai/api/v1/dashboard", {
credentials: "include",
});
};
}
```
## Wallet & SIWE (Sign-In With Ethereum)
Wallet-based auth supports agents and headless clients that cannot use browser sessions.
### SIWE flow (get an API key)
1. **GET /api/auth/siwe/nonce** — Returns `{ nonce, domain, uri, chainId, version, statement }`. Nonce is one-time, 5 min TTL (Redis). **Why nonce?** Prevents replay; timestamp-only can be replayed within the window.
2. Build the EIP-4361 message with the nonce and sign it with the wallet.
3. **POST /api/auth/siwe/verify** — Body `{ message, signature }`. Server validates domain and signature, consumes the nonce, then finds or creates user/org and returns **`apiKey`** with `user` and `organization`. New wallets get initial free credits (configurable via `INITIAL_FREE_CREDITS`).
4. Use the returned API key: `X-API-Key: <key>` or `Authorization: Bearer <key>` on subsequent requests.
### Wallet header signature (no API key)
Send on every request instead of storing an API key:
- **X-Wallet-Address**: Ethereum address (any case).
- **X-Timestamp**: Unix ms (must be within ±5 min of server time). **Why?** Binds the signature to a time window and limits replay.
- **X-Wallet-Signature**: Signature of the message
`Eliza Cloud Authentication\nTimestamp: ${timestamp}\nMethod: ${method}\nPath: ${path}`
so the signature is bound to this request. **Why method + path?** Prevents reusing the same signature on another endpoint.
If the wallet is unknown, the first valid signed request **creates** the account (same as SIWE signup). After that, any endpoint that uses `requireAuthOrApiKey` accepts wallet-header auth.
### x402 topup with wallet
**POST /api/v1/topup/10**, **/50**, **/100** (x402 payment-gated):
- With **wallet sig headers**: credits go to the signers wallet (no body `walletAddress` needed).
- Without wallet sig: send **body.walletAddress**; that wallets org is credited. New wallets are created without initial free credits (payment only).
See [Wallet API](/cloud/wallet-api) for full reference, WHYs, and file list.
## x402 Authentication
Pay per request with cryptocurrency:
```bash
curl -X POST "https://elizacloud.ai/api/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "X-PAYMENT: <x402-payment-header>" \
-d '{"model": "gpt-4o", "messages": [...]}'
```
<Info>
See the crypto payments section below for details.
</Info>
## Security Best Practices
### Do's
- ✅ Use environment variables for API keys
- ✅ Rotate keys regularly
- ✅ Use minimal permissions
- ✅ Monitor key usage
- ✅ Use different keys for different environments
### Don'ts
- ❌ Commit keys to version control
- ❌ Share keys between applications
- ❌ Use production keys in development
- ❌ Expose keys in client-side code
- ❌ Log API keys
### Environment Variables
```bash
# .env.local (never commit this file)
ELIZA_API_KEY=eliza_xxxxxxxxxxxx
```
```javascript
// Access in your code
const apiKey = process.env.ELIZA_API_KEY;
```
## Error Responses
### 401 Unauthorized
```json
{
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing authentication"
}
}
```
**Causes:**
- Missing API key
- Invalid API key
- Expired session
### 403 Forbidden
```json
{
"error": {
"code": "FORBIDDEN",
"message": "Insufficient permissions"
}
}
```
**Causes:**
- Key lacks required permission
- Resource access denied
## Rate Limiting
Rate limits are endpoint-specific. See [Rate Limits](/cloud/rate-limits) for the
current presets and retry guidance. Rate-limited responses include headers such
as:
```
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1705312860
```
## Next Steps
<CardGroup>
<CardGroup.Card title="API Reference" href="/cloud/api">
Complete API documentation
</CardGroup.Card>
<CardGroup.Card title="Billing" href="/cloud/billing">
Manage credits and payments
</CardGroup.Card>
<CardGroup.Card title="Rate Limits" href="/cloud/rate-limits">
Understand rate limiting
</CardGroup.Card>
</CardGroup>