Authentication
All Akira API requests require authentication using an API key.
Getting an API Key
To obtain an API key:
- Sign up at app.akiralabs.ai (opens in a new tab)
- Navigate to Settings → API Keys
- Click Create API Key
- Copy and securely store your key
You can also use the platform directly to create and manage sandboxes through the web interface.
Keep Your Key Secret
API keys grant full access to your account. Never share them or commit them to version control.
Using Your API Key
HTTP Header
Include your API key in the x-api-key header:
curl https://api.akiralabs.ai/v1/sandboxes/list \
-H "x-api-key: YOUR_API_KEY"Query Parameter
Alternatively, include your API key as a query parameter:
curl "https://api.akiralabs.ai/v1/sandboxes/list?api_key=YOUR_API_KEY"The header method is preferred for security reasons.
TypeScript SDK
The SDK accepts your key directly or via environment variable:
import SandboxSDK from '@akiralabs/sandbox-sdk';
// Option 1: Explicit key
const client = new SandboxSDK({
apiKey: 'YOUR_API_KEY',
});
// Option 2: Environment variable (recommended)
const client = new SandboxSDK({
apiKey: process.env['AKIRA_API_KEY'],
});Error Handling
The SDK provides typed errors for different failure scenarios:
import SandboxSDK from '@akiralabs/sandbox-sdk';
try {
await client.sandboxes.list();
} catch (err) {
if (err instanceof SandboxSDK.APIError) {
console.log(err.status, err.name, err.headers);
}
}| Status Code | Error Type |
|---|---|
| 400 | BadRequestError |
| 401 | AuthenticationError |
| 403 | PermissionDeniedError |
| 404 | NotFoundError |
| 422 | UnprocessableEntityError |
| 429 | RateLimitError |
| ≥500 | InternalServerError |
Environment Variables
Store your key as an environment variable:
# .env (add to .gitignore!)
AKIRA_API_KEY=your_api_key_here# Shell
export AKIRA_API_KEY=your_api_key_hereKey Management
Best Practices
- Never hardcode keys - Use environment variables
- Rotate regularly - Generate new keys periodically
- Use separate keys - Different keys for dev/staging/production
- Monitor usage - Watch for unexpected activity
- Revoke compromised keys - Immediately disable leaked keys
Rotating Keys
To rotate a key:
- Create a new API key in the dashboard
- Update your application to use the new key
- Verify the new key works
- Delete the old key
Revoking Keys
If a key is compromised:
- Go to Settings → API Keys in the dashboard
- Find the compromised key
- Click Revoke
- The key is immediately invalidated
Error Responses
Missing Key
{
"error": {
"code": "unauthorized",
"message": "Missing API key. Include your key in the x-api-key header."
}
}Invalid Key
{
"error": {
"code": "unauthorized",
"message": "Invalid API key. Check that your key is correct and active."
}
}Revoked Key
{
"error": {
"code": "unauthorized",
"message": "This API key has been revoked."
}
}Security Recommendations
CI/CD Environments
Use secrets management for CI/CD:
GitHub Actions:
env:
AKIRA_API_KEY: ${{ secrets.AKIRA_API_KEY }}GitLab CI:
variables:
AKIRA_API_KEY: $AKIRA_API_KEYServer Applications
Use environment variables or secrets managers:
// Node.js with dotenv
import 'dotenv/config';
const client = new SandboxSDK({
apiKey: process.env.AKIRA_API_KEY,
});Client Applications
Never Expose Keys in Client Code
API keys should never be included in frontend JavaScript, mobile apps, or any client-side code. Use a backend proxy instead.
// BAD: Key exposed in frontend
const client = new SandboxSDK({
apiKey: 'sk_live_abc123', // Anyone can see this!
});
// GOOD: Call your backend which has the key
const response = await fetch('/api/sandbox/create', {
method: 'POST',
});Next Steps
- API Introduction - Request/response format
- API Reference - Interactive documentation
- Quickstart - Create your first sandbox