Authentication

There are two supported ways to call the Arcane API. Pick the one that matches your deployment and threat model.

Mode A: Dashboard proxy (recommended for demos/investors)

If you call the API through the dashboard (/api/proxy/...), your client does not send an API key. The dashboard signs each request server-side with a short-lived rotating token.

Example request with API key

curl "https://YOUR_DASHBOARD_DOMAIN/api/proxy/snapshot"

Mode B: Direct backend (partners/customers)

When calling the backend directly, include your API key in the X-API-Key header on protected endpoints:

Direct backend request

curl "https://YOUR_BACKEND_DOMAIN/snapshot" \
  -H "X-API-Key: your-api-key"

Which endpoints require auth?

Typically:

No auth: GET /health, GET /
Auth required: GET /snapshot, GET /signal, GET /history, GET /alert-transitions, GET /stream, and most /api/* resources.

Security Best Practices

Keep keys secure: Never commit API keys to version control or share them publicly
Rotate regularly: Generate new keys periodically for enhanced security
Monitor usage: Check your API key usage through the dashboard analytics
Revoke compromised keys: Immediately revoke keys if you suspect they've been compromised

Learn about API key management