Skip to content
Wrapd

Authentication

Wrapd uses two authentication methods depending on context:

API keys (for calling endpoints)

Section titled “API keys (for calling endpoints)”

When calling a public endpoint, authenticate with the X-API-Key header:

Terminal window
curl https://api.wrapd.sh/v1/username/endpoint \
  -H "X-API-Key: wrapd_sk_your_key"

Creating API keys

Section titled “Creating API keys”

Create keys in the dashboard or via the API:

Terminal window
curl -X POST https://api.wrapd.sh/api-keys \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{"label": "production"}'

Keys are shown once on creation. The stored hash cannot be reversed.

Key format: wrapd_sk_{random}

Revoking keys

Section titled “Revoking keys”

Revoked keys immediately stop working. Revocation cannot be undone.

Agent tokens (for running the agent)

Section titled “Agent tokens (for running the agent)”

Agent tokens authenticate the agent’s WebSocket connection.

Token format: wrapd_at_{random}

Create tokens in the dashboard during setup, or in Settings. Like API keys, they’re shown once and stored as hashes.

Section titled “Dashboard auth (magic links)”

The dashboard uses passwordless magic link authentication:

  1. Enter your email at the login page.
  2. Receive an email with a login link (valid for 15 minutes).
  3. Click the link to authenticate and receive a JWT cookie (valid for 7 days).

The JWT is stored as an httpOnly cookie — it’s not accessible to JavaScript.