Authentication
The Backbone Lab API supports two authentication methods: long-lived API keys for server-to-server integrations, and short-lived OAuth access tokens minted by Workload Identity Federation for credential-less cloud deployments.
API keys
Create and revoke keys in the Console under Settings → API keys. Each key is scoped to a single workspace and can be limited to specific endpoints.
curl https://api.bkbn.com/v1/workflows \
-H "x-api-key: $BKBN_API_KEY" \
-H "bkbn-version: 2026-01-01"Workload Identity Federation
For workloads running on AWS, GCP or Azure, exchange a cloud-issued OIDC token for a short-lived BKBN access token. No long-lived secrets in your stack.
POST https://api.bkbn.com/v1/oauth/token
content-type: application/json
{
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"subject_token": "<cloud-oidc-jwt>",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"audience": "https://api.bkbn.com"
} The response carries an access_token valid for one hour. Pass it as Authorization: Bearer <token> on subsequent calls.
Header reference
| Header | Purpose |
|---|---|
x-api-key | Long-lived API key. |
Authorization | Short-lived OAuth bearer token. |
bkbn-version | Pinned API version, e.g. 2026-01-01. |
bkbn-workspace | Optional override of the key's default workspace. |
Rotating keys
Rotate API keys at least every 90 days. Create a new key, deploy it, then revoke the old one from the Console. The audit log retains usage for 13 months.