Authentication is header-based: you send a workspace API key on every authenticated route. There is no separate OAuth or session cookie for the public JSON API.Documentation Index
Fetch the complete documentation index at: https://docs.phrony.com/llms.txt
Use this file to discover all available pages before exploring further.
API keys
Create and revoke keys in the Phrony dashboard (workspace or Settings, depending on layout). Each key is a single secret; issued keys are prefixed with phk_. Do not commit keys to source control or put them in client-side code; use environment variables or a secret manager on your server.
Headers (authenticated routes)
| Header | Required | Value |
|---|---|---|
X-API-Key | Yes for authenticated routes | Your workspace API key (prefix phk_). |
Content-Type | When sending a JSON body | application/json |
X-API-Key in CORS preflight.
Example
Every authenticated request adds the same header. ReplaceRUN_ID after you start a run.
Scoping
Keys are scoped to your workspace and to specific agent and API trigger pairs (and optionally other constraints). The scope determines what you may call:| Your call | What Phrony checks |
|---|---|
POST /v1/agents/{agentId}/runs | The key must be scoped to that agentId and the API trigger used to start the run. The path agentId must match. |
GET /v1/agents/{agentId}/sessions | Same as above: agentId in the path must match the key’s agent scope. |
GET / POST under /v1/runs/{runId}/… | The key must be an active key for the workspace, and the key must be allowed to access that run (same agent, and when the run is tied to a trigger, a scope that includes that trigger). |
POST /v1/file-library/presign and …/finalize | The key must have file uploads enabled. |
File uploads
POST to /v1/file-library/* returns 403 if Allow file uploads is not enabled for that key, even when the key is otherwise valid.
See File library for the upload flow.