For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
User GuideDeveloper GuidesAPI Reference
User GuideDeveloper GuidesAPI Reference
  • Getting Started
    • What is Runtype?
    • Creating your account
    • Platform Keys vs. BYOK
    • Understanding the Runtype UI
    • Quickstart: Social Media Post Generator
    • Quickstart: From Agent to Chat Widget
  • Dashboard
    • What is the Dashboard?
    • Daily Executions
  • Playground
    • What is the Playground?
  • Products & Surfaces
    • What are Products?
    • What are Surfaces?
    • Creating a Product
    • Setting up a Chat Surface
    • Setting up an API Surface
    • Setting up an MCP Surface
    • Setting up an A2A Surface
    • Setting up a Slack Surface
    • MCP authentication
    • Authenticating with product API keys
    • Embedding the chat widget (script tag)
    • Embedding the chat widget (React)
    • Surface orchestration modes
    • Product views
    • Adding Capabilities to a product
    • Connecting external agents
    • How A2A works
    • Connecting to Cursor / VS Code
    • Connecting to Claude Desktop
    • Scoping API keys to capabilities
    • Auto-generated OpenAPI spec
    • Calling your API endpoints
    • Client tokens and domain restrictions
    • AI-powered theme generation
    • Widget theming and customization
    • Product versioning and status
  • Flows
    • What are Flows?
    • Creating and Editing Flows
    • Flow step types overview
    • Agent and Flow Templates
    • Using prompt steps
    • Using transform-data steps
    • Using conditional steps
    • Using fetch-url and api-call steps
    • Using record steps (upsert/retrieve)
    • Flow variables and templates
    • Flow versioning and publishing
    • Running flows in batch
    • Handling batch failures
    • Debugging flows
  • Agents
    • What are Agents?
    • Creating and configuring Agents
    • Agent tools
  • Records
    • What are Records?
    • Creating and managing records
    • Using records in flows
    • Filtering and searching records
  • Tools
    • What are Tools?
    • Built-in Tools
    • Creating custom tools
    • Creating external tools
    • Runtime tools
  • Evals
    • What are Evals?
    • Running an Eval
    • Interpreting eval results
  • Schedules
    • What are Schedules?
    • Automating batch processing
  • Logs
    • What are Logs?
    • Working with Logs
  • Integrations
    • Connecting AI model providers
    • Slack integration
    • Google Workspace integration
    • GitHub integration
    • Linear integration
    • Weaviate (vector search)
    • Firecrawl (web scraping)
    • Exa (web search)
  • Settings
    • What's in Settings?
    • Available AI models
    • What are Organizations?
    • Managing AI models
    • Managing API keys
    • Billing and plans
    • Usage data
    • Team members and permissions
    • Appearance and preferences
    • Integrations (PostHog, Weaviate, Daytona)
  • Troubleshooting & FAQ
    • FAQ
    • Rate Limits and Usage
    • Managing Runtype with Claude
    • Flow execution failures
    • Common errors and solutions
    • Authentication issues
Dashboard
LogoLogo
On this page
  • Authentication method
  • Making authenticated requests
  • API key prefixes
  • Authentication errors
  • Best practices
  • Rotating compromised keys
  • Next steps
Products & Surfaces

Authenticating with product API keys

Was this page helpful?
Previous

Embedding the chat widget (script tag)

Next
Built with

API surfaces use API keys for authentication. Include your key in the Authorization header of every request.

Authentication method

Runtype uses Bearer token authentication. Include your API key in the Authorization header or the X-API-Key header:

$Authorization: Bearer YOUR_API_KEY
$X-API-Key: YOUR_API_KEY

Making authenticated requests

API Surface endpoints follow this pattern:

https://api.runtype.com/v1/products/{productId}/surfaces/{surfaceId}/api/{capabilitySlug}

Example using curl:

$curl -X POST https://api.runtype.com/v1/products/{productId}/surfaces/{surfaceId}/api/{capabilitySlug} \
>  -H "Authorization: Bearer papi_xxxxxx" \
>  -H "Content-Type: application/json" \
>  -d '{"input": "Your input here"}'

Example using JavaScript fetch:

1const response = await fetch('https://api.runtype.com/v1/products/{productId}/surfaces/{surfaceId}/api/{capabilitySlug}', {
2  method: 'POST',
3  headers: {
4    'Authorization': 'Bearer papi_xxxxxx',
5    'Content-Type': 'application/json'
6  },
7  body: JSON.stringify({ input: 'Your input here' })
8});
9
10const data = await response.json();

Example using Python:

1import requests
2
3response = requests.post(
4    'https://api.runtype.com/v1/products/{productId}/surfaces/{surfaceId}/api/{capabilitySlug}',
5    headers={
6        'Authorization': 'Bearer papi_xxxxxx',
7        'Content-Type': 'application/json'
8    },
9    json={'input': 'Your input here'}
10)
11
12data = response.json()

API key prefixes

API Surface keys use the papi_ prefix. Find your exact endpoint URLs and keys in the Endpoints and Keys tabs of your API Surface.

Authentication errors

Common authentication error responses:

401 Unauthorized:

1{
2  "error": "Invalid or missing API key"
3}

Causes: Missing Authorization header, incorrect key format, or revoked key

403 Forbidden:

1{
2  "error": "API key does not have permission to access this resource"
3}

Causes: Key scoped to different capabilities, or insufficient permissions

Best practices

  • Environment variables — Store keys in env vars, never in code
  • Separate keys — Use different keys for dev and production
  • Rotate regularly — Generate new keys periodically and revoke old ones
  • Scope permissions — Limit keys to only the capabilities they need

Never expose API keys in client-side JavaScript, mobile apps, or public repositories. Use server-side code or secure proxy services.

Rotating compromised keys

If a key is exposed:

  1. Go to your API surface settings
  2. Find the compromised key
  3. Click Revoke
  4. Create a new key
  5. Update your application with the new key

Revoked keys stop working immediately.

Next steps

  • Calling your API endpoints for request/response details
  • Scoping API keys to capabilities
  • Setting up an API surface