Authentication
Signup, login, session tokens, API key management, key scopes, key rotation, and security model.
Overview
Ingate is a cloud-only platform. There is no self-hosted option. All authentication flows go through api.ingateai.com.
Two authentication methods are supported: API keys for machine-to-machine access (proxy, ingestion, programmatic API calls) and session tokens for user-facing flows (dashboard, management API).
Header-only authentication
X-Ingate-Key header. Query parameter authentication (?key=) is not supported. Keys in URLs leak to server logs, browser history, and Referer headers.Signup & Login
Create an account to get your organization and first API key. The signup flow creates an organization, a user, and an initial API key in a single call.
# Sign up (creates org + user + first API key)
curl -X POST https://api.ingateai.com/api/v1/signup \
-H "Content-Type: application/json" \
-d '{
"email": "dev@acme.com",
"password": "strong-password-here",
"org_slug": "acme-corp",
"org_name": "Acme Corporation",
"display_name": "Alice Developer"
}'The response includes a session token and your first API key:
{
"org": { "id": "...", "slug": "acme-corp", "plan": "free" },
"user": { "id": "...", "email": "dev@acme.com" },
"api_key": "sk-ingate-abc123...",
"token": "eyJhbGciOiJIUzI1NiIs..."
}Save your API key
# Log in (returns session token)
curl -X POST https://api.ingateai.com/api/v1/login \
-H "Content-Type: application/json" \
-d '{"email": "dev@acme.com", "password": "your-password"}'Rate limiting
/signup and /login endpoints are rate-limited to 10 attempts per 15 minutes per IP address for brute-force protection. Exceeding this limit returns 429 Too Many Requests with a Retry-After header indicating when you can try again.API Key Authentication
Use the X-Ingate-Key header for all proxy and API requests. This is the only supported method. Query parameter authentication is not available.
curl https://api.ingateai.com/v1/chat/completions \
-H "X-Ingate-Provider: openai" \
-H "X-Ingate-Key: sk-ingate-your-key" \
-H "Content-Type: application/json" \
-d '{"model": "gpt-4o-mini", "messages": [{"role": "user", "content": "Hello"}]}'Key Format
API keys use the format sk-ingate-<64 hex chars>. Keys are stored as SHA-256 hashes. Raw keys cannot be recovered from the database. Only a truncated hash prefix is retained for log correlation; full keys are never logged.
Session Token Authentication
For dashboard and management API access, use a Bearer token from login or signup. Session tokens are signed with HMAC-SHA256 and expire after 24 hours.
curl https://api.ingateai.com/api/v1/auth/entitlements \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."API Key Management
Create, list, and revoke API keys for your organization:
# Create a new API key
curl -X POST https://api.ingateai.com/api/v1/keys \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Backend",
"scopes": ["provider:openai", "provider:anthropic"],
"app_id": "optional-app-uuid"
}'
# List keys (shows prefix and metadata only, not raw keys)
curl https://api.ingateai.com/api/v1/keys \
-H "Authorization: Bearer <token>"
# Revoke a key
curl -X DELETE https://api.ingateai.com/api/v1/keys/{keyId} \
-H "Authorization: Bearer <token>"Key Scopes
Restrict what a key can do by assigning scopes. Scoped keys are denied access outside their allowed providers/models with a 403 scope_denied error.
| Scope | Format | Example |
|---|---|---|
| Wildcard | * | Access all providers and models |
| Provider | provider:<name> | provider:openai |
| Model | model:<name> | model:gpt-4o |
Default scopes
*) for backward compatibility.Key Rotation
Rotate a key without downtime using an overlap period. During the overlap, both the old and new keys are valid.
# Rotate a key with 24-hour overlap
curl -X POST https://api.ingateai.com/api/v1/keys/{keyId}/rotate \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"overlap_hours": 24}'{
"key": { "id": "new-key-uuid", "key_prefix": "sk-ingat" },
"raw_key": "sk-ingate-new-key-abc...",
"overlap_hours": 24,
"message": "new key created; old key expires after overlap period"
}Multi-Org Access
Users can belong to multiple organizations. Use the org switcher to change context:
# List orgs you belong to
curl https://api.ingateai.com/api/v1/auth/orgs \
-H "Authorization: Bearer <token>"
# Switch to a different org (returns new token scoped to that org)
curl -X POST https://api.ingateai.com/api/v1/auth/switch-org \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"org_id": "target-org-uuid"}'Security
Summary of the security measures applied across the authentication system:
| Measure | Details |
|---|---|
| Header-only API key auth | Keys are sent exclusively via the X-Ingate-Key header. Query parameter auth was removed. Keys in URLs leak to server logs, browser history, and Referer headers. |
| Rate limiting on auth endpoints | /signup and /login are limited to 10 attempts per 15 minutes per IP address. Exceeding the limit returns 429 Too Many Requests with a Retry-After header. |
| Password hashing | Passwords are hashed with bcrypt before storage. Raw passwords are never persisted or logged. |
| Session token signing | Session tokens are signed with HMAC-SHA256 and have a fixed 24-hour expiry. Expired tokens are rejected immediately. |
| API key storage | Keys are stored as SHA-256 hashes. Raw keys are never logged. Only a truncated hash prefix is retained for correlation in audit logs and diagnostics. |
Rotate keys regularly