Authentication
API key management and role-based access control.
API keys
All /v1/* endpoints require a Bearer token in the Authorization header:
Authorization: Bearer br_live_...Create keys in the dashboard or programmatically via the /auth/api-keys endpoint after signing in with your Supabase account.
Key properties
Each key supports optional constraints:
| Property | Description |
|---|---|
name | Human-readable label |
rateLimitRpm | Max requests per minute |
budgetLimitUsd | Spend cap (daily or monthly) |
budgetPeriod | "daily" or "monthly" |
expiresAt | ISO 8601 expiration date |
allowedModels | Restrict to specific models |
Roles & RBAC
Keys are assigned one or more roles. Each role grants a set of permissions:
| Role | Permissions |
|---|---|
admin | Full access to all endpoints |
developer | Route requests, read config, read audit logs |
operator | Read config, read audit logs |
auditor | Read-only audit access |
agent | Route requests only (router.write, router.read) |
Keys without an explicit role default to admin (with a deprecation warning). Always assign explicit roles in production.
Permission map
| Endpoint | Permission |
|---|---|
POST /v1/chat/completions | router.write |
GET /v1/models | router.read |
GET /v1/tasks | config.read |
POST /v1/tasks | config.write |
DELETE /v1/tasks/:id | config.write |
GET /v1/usage/* | audit.read |
GET /v1/config/* | config.read |
PUT /v1/config/* | config.write |