Evose

Authentication

API Key · Bearer Token · Scopes

The Evose API uses Bearer Token authentication. Tokens come from organization-level API Keys.

Create an API Key

[Org management · API Management] → New API Key:

FieldDescription
NameNote the use (e.g. marketing-prod-key)
ScopesRestrict accessible resource types
Workspace restrictionSpecific workspaces only (optional)
ExpirationAuto-expire (optional)
IP allowlistAllowed IPs only (optional)

Key shown once

After creation, the full key is shown only at the moment of creation; once you close the dialog it cannot be viewed again. Save it immediately.

Usage

Each request carries the Authorization header:

Authorization: Bearer evk_xxxxxxxxxxxxxxxxx

Scopes

ScopeIncludes
readList / read resources
agent:invokeInvoke Agents
workflow:invokeTrigger Workflows
knowledge:readSearch knowledge bases
knowledge:writeUpload / delete documents
adminManage resources (create / modify / delete)
*All (use with care)

Least privilege

Grant business-system keys only the necessary scopes. Backend invoking Agents → grant only agent:invoke.

Public Keys (for the Front End)

Some scenarios need direct front-end calls (such as the JS SDK) — use a public key:

Authorization: Bearer pub_xxxxxxxxxxxxxxxxx

Public keys:

  • Allowed only on specific endpoints (chat invocation)
  • Restricted by domain allowlist (anti-theft)
  • Cannot access management APIs

User Identity

Calls must indicate the end user (for audit, attribution, ACL checks):

{
  "message": "...",
  "user_id": "u-internal-id",
  "user_name": "Alice",
  "user_email": "alice@example.com"
}

Credential Rotation

ActionBehavior
Create new keyImmediately usable
Mark old key deprecatedStill works; UI shows red warning
Revoke old keyImmediately invalidated

Recommended rotation: 90 days. Strict compliance: 30 days.

Next Steps

Previous

API Overview

Next

Conventions

On this page