Authentication Overview
AIM provides multiple authentication methods to secure your AI agents and platform access, from simple API keys to enterprise-grade OAuth/OIDC integration.
JWT Bearer Tokens
Primary authentication for web UI and user interactions. Short-lived access tokens with automatic refresh rotation.
15-minute access tokens
7-day refresh tokens with rotation
Automatic token renewal
API Keys
Programmatic access for SDKs and automated agents. SHA-256 hashed with usage tracking and rate limiting.
SHA-256 hashed storage
Per-key rate limiting
Usage analytics & tracking
OAuth 2.0 / OIDC
OAuth 2.0 is used for SDK token management with secure refresh token rotation. This enables SDKs to maintain long-lived sessions with automatic token renewal.
SDK refresh tokens
Automatic token rotation
Secure token storage
Ed25519 Signatures
Military-grade cryptographic verification for AI agents. Public key infrastructure with automatic key rotation.
Elliptic curve cryptography
90-day automatic rotation
Non-repudiation guarantee
Choosing the Right Method
| Method | Best For | Security Level | Setup Complexity |
|---|---|---|---|
| JWT Tokens | Web UI, mobile apps, browser-based access | High | Simple |
| API Keys | SDKs, CI/CD, automation scripts | Medium | Simple |
| OAuth/OIDC | SDK token management, refresh tokens | High | Simple |
| Ed25519 | AI agents, MCP servers, high-security ops | Maximum | Medium |
Quick Start Examples
1. Web Application (JWT)
Perfect for React, Vue, Angular applications:
// Login and get JWT token
const response = await fetch('https://aim.example.com/api/v1/public/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
email: 'user@example.com',
password: 'SecurePassword123!'
})
});
const { access_token, refresh_token } = await response.json();
// Use token for authenticated requests
const agents = await fetch('https://aim.example.com/api/v1/agents', {
headers: {
'Authorization': `Bearer ${access_token}`
}
});2. SDK/Automation (API Key)
Ideal for Python scripts, CI/CD pipelines:
import requests
# Use API key for SDK operations
headers = {
'X-API-Key': 'ak_live_xxxxxxxxxxxxxxxx',
'Content-Type': 'application/json'
}
# Register agent programmatically
response = requests.post(
'https://aim.example.com/api/v1/sdk-api/agents/register',
headers=headers,
json={
'name': 'my-automated-agent',
'type': 'automation',
'capabilities': ['data_processing', 'api_calls']
}
)
agent_data = response.json()
print(f"Agent registered: {agent_data['agent_id']}")3. Agent Verification (Ed25519)
High-security agent authentication:
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.asymmetric import ed25519
import base64
import time
import json
# Load agent's private key
with open('agent_private_key.pem', 'rb') as f:
private_key = serialization.load_pem_private_key(f.read(), password=None)
# Create signature for action verification
timestamp = int(time.time())
nonce = base64.b64encode(os.urandom(16)).decode()
message = f"{agent_id}:{action}:{resource}:{timestamp}:{nonce}"
signature = private_key.sign(message.encode())
signature_b64 = base64.b64encode(signature).decode()
# Send verified request
response = requests.post(
f'https://aim.example.com/api/v1/agents/{agent_id}/verify-action',
headers={'Authorization': f'Bearer {token}'},
json={
'action': action,
'resource': resource,
'signature': signature_b64,
'timestamp': timestamp,
'nonce': nonce
}
)Security Best Practices
DO ✅
- • Store tokens/keys in environment variables
- • Rotate API keys every 90 days
- • Use HTTPS for all API calls
- • Implement token refresh logic
- • Monitor for suspicious activity
- • Enable 2FA for admin accounts
DON'T ❌
- • Hardcode credentials in source code
- • Share API keys between environments
- • Store tokens in localStorage (use secure cookies)
- • Log sensitive authentication data
- • Ignore rate limit headers
- • Skip certificate validation
Rate Limiting by Authentication Type
JWT Authenticated Requests1,000 req/min
API Key Requests (Standard)5,000 req/min
OAuth/OIDC Authenticated1,000 req/min
Public Endpoints (Unauthenticated)100 req/min
🚀 Next Steps
Ready to implement authentication in your application?