Skip to main content
API keys identify the client calling the Regulatory Pack API. Treat keys as production credentials. Create API tokens from the Esheria API Dashboard at https://dashboard.esheria.ai/. The dashboard creates workspace-scoped data tokens for production services, local development, CLI use, and MCP hosts. Store tokens in your shell for local testing or in your service secret manager for production use. Dashboard-created and OAuth connector tokens are read-only (regulatory:read). A workspace owner can use a management token to create a least-privilege operator data token with monitoring:write, graph:write, or customer:write when an integration must change hosted state.
Existing customers may also receive a workspace token from an Esheria operator or workspace owner. Dashboard-created data tokens are the recommended self-serve path for new integrations.

Create A Token In The Dashboard

  1. Open https://dashboard.esheria.ai/.
  2. Sign up or sign in.
  3. Open API Tokens.
  4. Create a data token with a clear name such as Production backend or Local development.
  5. Store the returned token secret immediately. It is shown once and cannot be recovered later.
Use separate data tokens for each service, environment, and major integration. That makes revocation and usage debugging easier. For an operator token, repeat the CLI --scope option. Unknown scopes and management scopes are rejected for data tokens:

Local Setup

ESHERIA_DEFAULT_PACK_ID is an optional client preference chosen by you; it is not a server-side jurisdiction default. Pack-specific commands still accept an explicit pack ID. For long-running services, store keys in the host secret manager and inject them as environment variables at runtime.

Test A Key

A valid key returns status: ok. An invalid key returns the normal error envelope with unauthorized.

CLI Configuration

The CLI reads the same environment variables.
The CLI redacts credential status in diagnostics. It should report whether a key is set or missing, never the key value.

Rotation Checklist

  1. Create a new data token in the dashboard.
  2. Deploy the new key to services and MCP hosts.
  3. Run esheria packs list --format json.
  4. Revoke the old key from API Tokens.
  5. Remove exposed key material from shell history, logs, and screenshots.

Common Failure Modes