Authentication

All API endpoints (except health checks) require authentication via the X-API-Key header. API keys are issued per customer and hashed with SHA-256 before database lookup.

Making Authenticated Requests

Include the X-API-Key header in every request:

curl -X POST https://api-production-56df.up.railway.app/events \
  -H "Content-Type: application/json" \
  -H "X-API-Key: sk-acme-b96cb84498324444" \
  -d '{"event_id": "evt-001", "action": "mcp:github:repo.read", "timestamp": "2026-02-26T10:00:00Z"}'

API Key Format

Keys follow the format sk-{customer}-{random}:

sk-acme-b96cb84498324444
sk-tech-d9acb4d86bb04979
sk-ent-20b322cc26bd4d0e

Rate Limits

Rate limits are enforced per customer based on their model tier:

Tier	Rate Limit (events/day)
`starter`	10,000
`pro`	100,000
`enterprise`	1,000,000

When rate limited, the API returns 429 Too Many Requests.

Error Responses

Missing API Key
Invalid API Key
Rate Limited

{
  "detail": "X-API-Key header required"
}

Status: 401 Unauthorized

{
  "detail": "Invalid API key"
}

Status: 401 Unauthorized

{
  "detail": "Rate limit exceeded for tier starter (10000 events/day)"
}

Status: 429 Too Many Requests

Unauthenticated Endpoints

These endpoints do not require the X-API-Key header:

GET /health — Simple health check
GET /health/detailed — Detailed system health
GET /docs — OpenAPI documentation
GET /openapi.json — OpenAPI spec

Middleware Stack

Requests pass through middleware in this order:

CORSMiddleware — CORS headers for cross-origin requests
IsolationMiddleware — Enforces data isolation between customers
AuthMiddleware — Validates X-API-Key and resolves customer context

API Reference

Endpoints

​Authentication

​Making Authenticated Requests

​API Key Format

​Rate Limits

​Error Responses

​Unauthenticated Endpoints

​Middleware Stack