Authentication & Security
Enterprise-grade identity, access control, and audit infrastructure. Every request authenticated, every action governed, every decision recorded.
Authentication Methods
Choose the authentication strategy that fits your integration pattern.
API Keys
Server-to-server authentication with scoped permissions and automatic rotation. Ideal for backend integrations and CI/CD pipelines.
OAuth 2.0
User-context operations via authorization code flow with PKCE support. Standards-compliant implementation for web and mobile apps.
SSO / SAML
Enterprise single sign-on via SAML 2.0 and OpenID Connect. Managed through WorkOS. Available on Business and Enterprise plans.
JWT Tokens
RS256-signed session tokens for authenticated user sessions. Auto-refresh, revocation, and configurable expiry.
API Key Authentication
Server-to-server authentication with scoped permissions
Creating API Keys
Navigate to Settings → API Keys → Create in the ARQERA app. Each key is shown exactly once at creation. Store it securely — you will not be able to view the full key again.
Production
ak_live_...Live environment. Real data and billing.
Sandbox
ak_test_...Isolated sandbox. No billing, safe for testing.
Permission Scopes
| Scope | Description |
|---|---|
diagnostic:read | Read system diagnostics and health data |
diagnostic:write | Run diagnostic checks and update configuration |
governance:read | Read governance evaluations and approval history |
governance:write | Create evaluations and manage approval workflows |
evidence:read | Read evidence artifacts and audit trail |
evidence:write | Emit evidence artifacts and create audit entries |
ara:execute | Execute Ara AI actions and protocol runs |
admin | Full administrative access (tenant-scoped) |
Authenticating Requests
Include your API key in the request header using either format:
Option 1 — X-API-Key header
X-API-Key: ak_live_abc123...Option 2 — Authorization header
Authorization: Bearer ak_live_abc123...Code Examples
cURL
curl -X GET https://api.arqera.io/api/diagnostic/health \ -H "X-API-Key: ak_live_your_key_here"
Python
import os
from arqera import ArqeraClient
client = ArqeraClient(
api_key=os.environ["ARQERA_API_KEY"],
base_url="https://api.arqera.io",
)
health = client.diagnostic.health()
print(health)TypeScript
import { ArqeraClient } from '@arqera/sdk';
const client = new ArqeraClient({
apiKey: process.env.ARQERA_API_KEY!,
baseUrl: 'https://api.arqera.io',
});
const health = await client.diagnostic.health();
console.log(health);Key Rotation
API keys expire automatically after 90 days. A notification is sent 24 hours before deactivation. Follow this zero-downtime rotation process:
- 1Create a new API key with the same scopes in Settings → API Keys.
- 2Deploy the new key to your services. Both old and new keys work simultaneously.
- 3Verify all services are using the new key by checking “Last Used” timestamps.
- 4Revoke the old key. Revocation is immediate and irreversible.
OAuth 2.0
User-context authentication for web, mobile, and SPA applications
Endpoints
https://app.arqera.io/oauth/authorizehttps://app.arqera.io/oauth/tokenhttps://app.arqera.io/oauth/userinfoSupported Grant Types
authorization_code
Standard OAuth flow for server-side web apps. Includes PKCE support for public clients.
client_credentials
Machine-to-machine authentication. No user context. Ideal for backend services.
refresh_token
Exchange a refresh token for a new access token without re-authentication.
OAuth Scopes
| Scope | Description |
|---|---|
openid | Required. Returns a sub claim in the ID token. |
profile | User profile information (name, avatar). |
email | User email address. |
offline_access | Enables refresh token issuance. |
diagnostic:read | Read system diagnostics. |
governance:read | Read governance data. |
evidence:read | Read evidence artifacts. |
ara:execute | Execute Ara AI actions. |
PKCE (Proof Key for Code Exchange)
Required for public clients (SPAs, mobile apps, CLI tools). PKCE prevents authorization code interception attacks without requiring a client secret.
// 1. Generate code verifier and challenge
const verifier = generateRandomString(64);
const challenge = base64url(sha256(verifier));
// 2. Authorization request (browser redirect)
const authUrl = new URL('https://app.arqera.io/oauth/authorize');
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('redirect_uri', REDIRECT_URI);
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('code_challenge', challenge);
authUrl.searchParams.set('code_challenge_method', 'S256');
authUrl.searchParams.set('state', generateRandomString(32));
// 3. Exchange code for tokens
const tokenResponse = await fetch(
'https://app.arqera.io/oauth/token',
{
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
code: authorizationCode,
redirect_uri: REDIRECT_URI,
client_id: CLIENT_ID,
code_verifier: verifier,
}),
}
);
const { access_token, refresh_token, id_token } = await tokenResponse.json();Single Sign-On (SSO)
Enterprise SSO via SAML 2.0 or OpenID Connect, managed through WorkOS
Supported Identity Providers
Okta
SAML 2.0
Microsoft Entra ID
SAML 2.0 / OIDC
Google Workspace
OIDC
Custom SAML IdP
SAML 2.0
SAML 2.0 Configuration
Provide these Service Provider (SP) details to your identity provider:
https://api.arqera.io/auth/sso/saml/metadata/<your-tenant>https://api.arqera.io/auth/sso/callbackhttps://api.arqera.io/auth/sso/logouturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressOpenID Connect Configuration
For OIDC-based SSO, configure the following in your identity provider:
https://app.arqera.io/auth/sso/callbackopenid email profilecodeJust-in-Time Provisioning
When a user authenticates via SSO for the first time, ARQERA automatically creates their account and assigns them the Member role within your tenant. No manual user creation required. Name and email are synced from the identity provider on each login.
SSO is available on the Business and Enterprise plans. Configure connections from System → SSO & Provisioning.
SCIM Provisioning
Automate user lifecycle management with your identity provider
| Spec | SCIM 2.0 (RFC 7643 / 7644) |
| Supported resources | Users, Groups |
| Operations | Create, Read, Update, Delete, Patch, Filter |
| Bulk operations | Not currently supported |
| Auth method | Bearer token (API key with admin scope) |
| Max filter results | 200 |
| Change password | Supported |
| ETag | Supported |
SCIM Endpoint
https://app.arqera.io/api/scim/v2Configure this URL in your identity provider. Generate a SCIM token from System → SSO & Provisioning in the ARQERA app. The token requires the admin scope.
Configuration Guides
Okta
Applications → Add App → SCIM provisioning
Microsoft Entra ID
Enterprise Apps → Provisioning → SCIM
OneLogin
Applications → Parameters → SCIM config
JumpCloud
SSO Applications → Identity Management → SCIM
JWT Tokens
RS256-signed session tokens for authenticated user sessions
Token Details
| Algorithm | RS256 (RSA with SHA-256) |
| Access token lifetime | 15 minutes |
| Refresh token lifetime | 7 days (configurable) |
| Token format | JWT (RFC 7519) |
| Key verification | JWKS endpoint for public key discovery |
| Claims | sub, email, tenant_id, roles, iat, exp, iss, aud |
Token Usage
// Login and receive tokens
const response = await fetch('https://api.arqera.io/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: '[email protected]',
password: 'your-password',
}),
});
const { access_token, refresh_token } = await response.json();
// Use access token for authenticated requests
const data = await fetch('https://api.arqera.io/api/governance/evaluations', {
headers: { Authorization: `Bearer ${access_token}` },
});
// Refresh when access token expires
const refreshResponse = await fetch('https://api.arqera.io/auth/refresh', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ refresh_token }),
});
const { access_token: newAccessToken } = await refreshResponse.json();Security Model
A 5-layer immune system protecting every request, every action, every decision
Input Validation
All incoming data is validated at system boundaries. Request schemas are enforced, payloads are sanitized, and malformed input is rejected before it reaches business logic.
Authentication
Identity verification via API keys, OAuth tokens, SSO assertions, or JWT sessions. Every request must present valid credentials before processing.
Authorization
Permission enforcement via role-based access control (RBAC). Actions are checked against the user's role, custom permissions, and tenant-scoped boundaries.
Governance
AI-powered intent classification evaluates risk and applies approval workflows. High-risk actions require explicit human approval before execution.
Audit
Every action emits an immutable evidence artifact with a SHA-256 hash. The full audit trail is queryable, exportable, and tamper-evident.
Multi-Factor Authentication
- TOTP (Google Authenticator, Authy, 1Password)
- WebAuthn / FIDO2 hardware keys
- Passkey support (biometric)
- Tenant-wide MFA enforcement
Session Management
- Configurable session lifetime
- Concurrent session limits
- Remote session revocation
- Idle timeout enforcement
IP Allowlisting
Restrict access to specific IP addresses or CIDR ranges. Available on the Enterprise plan. Configure from Settings → Security → IP Allowlist.
Anomaly Detection
Powered by WorkOS Radar. Detects suspicious login patterns, impossible travel, credential stuffing, and brute-force attempts. Automatic blocking and alert escalation.
Rate Limits
Fair usage enforcement with transparent headers
| Plan | Requests / Minute | Burst | Daily Limit |
|---|---|---|---|
| Free | 60 req/min | 10 | 5,000/day |
| Team | 300 req/min | 50 | 50,000/day |
| Business | 1,000 req/min | 200 | 500,000/day |
| Enterprise | Custom | Custom | Unlimited |
Rate Limit Headers
Every API response includes rate limit headers so you can track your usage:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed in the current window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
X-RateLimit-Category | Rate limit category applied (e.g. auth, ai, global) |
Retry-After | Seconds to wait before retrying (only on 429 responses) |
Handling 429 Responses
When rate limited, you receive a 429 Too Many Requests response. Implement exponential backoff with jitter:
async function fetchWithRetry(url: string, options: RequestInit, maxRetries = 3) {
for (let attempt = 0; attempt <= maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status !== 429) return response;
if (attempt === maxRetries) {
throw new Error('Rate limit exceeded after max retries');
}
const retryAfter = parseInt(response.headers.get('Retry-After') || '1');
const jitter = Math.random() * 1000;
const delay = retryAfter * 1000 * Math.pow(2, attempt) + jitter;
await new Promise(resolve => setTimeout(resolve, delay));
}
}Security Best Practices
Follow these guidelines to keep your integration secure
Never expose keys in client-side code
API keys must only be used server-side. Use OAuth 2.0 with PKCE for browser and mobile applications.
Use environment variables
Store credentials in environment variables or a secrets manager. Never commit keys to source control.
Rotate keys regularly
Keys expire automatically after 90 days. Create a new key, migrate services, then revoke the old key. Zero-downtime rotation.
Apply least-privilege scopes
Create separate keys per service with only the scopes needed. A reporting service should not have ara:execute permissions.
Enable MFA for all team members
Require TOTP-based multi-factor authentication for every user account. Enforce via team security settings.
Monitor audit logs
Review the evidence trail regularly. Set up webhook alerts for suspicious patterns like failed auth attempts or privilege escalation.
Integration Security Checklist
Secure your AI operations today
Start with a free account. Enterprise SSO, SCIM, and IP allowlisting available on Business and Enterprise plans.