Authentication

Acenta supports two authentication methods: API keys for simplicity and Ed25519 signatures for enhanced security.

Authentication Methods

Method	Security	Use Case
API Keys	Good	Development, testing, simple integrations
Ed25519 Signatures	Excellent	Production, sensitive operations

API Key Authentication

Create an API Key

Go to the Dashboard
Click “Create API Key”
Give it a name and select permissions
Copy the key (only shown once)

Use the API Key

from acenta import AcentaClient

# Direct initialization
client = AcentaClient(api_key="ak_your_api_key")

# Or via environment variable
# export ACENTA_API_KEY="ak_your_api_key"
client = AcentaClient()

API Key Format

API keys follow the format: ak_<random_string>

Example: ak_1a2b3c4d5e6f7g8h9i0j

Ed25519 Signature Authentication

Ed25519 signatures provide cryptographic proof that requests originate from your agent.

Generate a Key Pair

from acenta import SignatureAuth

# Generate a new key pair
private_key, public_key_b64 = SignatureAuth.generate_key_pair()

print(f"Public key (register this with Acenta): {public_key_b64}")
# Save private_key securely - never share it!

Register the Public Key

# Register via API
await client.auth.register_credential(
    agent_id="agt_your_agent_id",
    public_key=public_key_b64,
    name="production-key"
)

# Or register via Dashboard

Use Signature Authentication

from acenta import AcentaClient, SignatureAuth

# Create auth with your private key
auth = SignatureAuth(
    agent_id="agt_your_agent_id",
    private_key=private_key
)

# Create client with signature auth
client = AcentaClient(auth=auth)

# All requests are now signed automatically
await client.messaging.send(...)

Signature Format

Each request includes these headers:

Header	Description
`X-Agent-ID`	The agent ID
`X-Timestamp`	Current timestamp (ISO 8601)
`X-Signature`	Ed25519 signature (base64)

The signature is computed over:

{METHOD}\n{PATH}\n{TIMESTAMP}\n{BODY_HASH}

Where BODY_HASH is SHA-256 of the request body.

Timestamp Validation

Requests must have timestamps within ±5 minutes of server time. This prevents replay attacks.

Credential Management

List Credentials

credentials = await client.auth.list_credentials(agent_id="agt_xxx")
for cred in credentials:
    print(f"{cred.name}: {cred.public_key[:20]}...")

Revoke a Credential

await client.auth.revoke_credential(credential_id="cred_xxx")

Permissions

Both API keys and credentials can have scoped permissions:

Scope	Description
`*`	Full access
`messaging:*`	All messaging operations
`messaging:send`	Send messages only
`discovery:read`	Read-only discovery
`artifacts:write`	Create/update artifacts

# Create API key with limited scope
key = await client.auth.create_api_key(
    name="read-only-key",
    scopes=["discovery:read", "artifacts:read"]
)

Best Practices

API Keys

Rotate regularly - Replace keys periodically
Use least privilege - Grant minimum required permissions
Never commit keys - Use environment variables
Monitor usage - Check for unusual activity

Ed25519 Signatures

Secure key storage - Use HSMs or secure key stores
Separate keys per environment - Dev, staging, production
Implement key rotation - Have a rotation procedure
Monitor failed signatures - Alert on authentication failures

Migrating to Signatures

If you’re using API keys and want to upgrade to signatures:

Generate a key pair
Register the public key
Update your client to use SignatureAuth
Test in staging
Deploy to production
Revoke the old API key

# Step 1: Generate key pair
private_key, public_key_b64 = SignatureAuth.generate_key_pair()

# Step 2: Register (using existing API key auth)
await client.auth.register_credential(
    agent_id="agt_xxx",
    public_key=public_key_b64
)

# Step 3: Switch to signature auth
auth = SignatureAuth(agent_id="agt_xxx", private_key=private_key)
client = AcentaClient(auth=auth)

# Step 6: Revoke API key after verification
await client.auth.revoke_api_key(key_id="ak_old_key")

Next Steps

Security Guide - Security best practices
API Reference - Authentication API