Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rigbox.dev/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

Every request to the Rigbox API (except public endpoints) must include an Authorization header with a valid credential.

API keys

The simplest way to authenticate. Create one from the dashboard under Settings → API Keys, or via the Create API Key endpoint. 
curl https://api.rigbox.dev/api/v1/workspaces \
  -H "Authorization: Bearer rb_your_api_key_here"
API keys grant full access to your account. Store them in environment variables or a secrets manager - never commit them to source control.
All API keys use the rb_ prefix: 
export RIGBOX_API_KEY="rb_..."

curl https://api.rigbox.dev/api/v1/workspaces \
  -H "Authorization: Bearer ${RIGBOX_API_KEY}"

Bearer tokens (JWT)

If you authenticate through the dashboard login flow, you receive a JWT that can be used directly: 
curl https://api.rigbox.dev/api/v1/workspaces \
  -H "Authorization: Bearer eyJhbG..."
JWTs expire after a set period. The dashboard handles refresh automatically.

Dashboard session tokens

The Rigbox frontends (rigbox.dev, clawd.rigbox.dev, sandbox.rigbox.dev) handle authentication automatically. Session tokens are managed by the dashboard - no extra setup needed for first-party UIs.

Choosing an auth method

Client typeRecommendedWhy
Backend service, CI, agentAPI keyStable, easy to rotate, no expiry
First-party dashboardSession tokenUser-scoped, automatic refresh
Third-party web appYour backend + API keyKeep keys server-side, proxy requests

Public endpoints

These endpoints do not require authentication:
  • GET /capacity - check platform availability
  • GET /templates - list available workspace templates

Private app authentication (X-Rigbox-Key)

When an app’s visibility is set to private or privileged, requests from outside the workspace must include an X-Rigbox-Key header. This is separate from the Authorization header used for the main API. Any valid API key (rb_*) will work as the value: 
curl https://<APP_NAME>.rigbox.dev/endpoint \
  -H "X-Rigbox-Key: $RIGBOX_API_KEY"
Replace <APP_NAME> with the name of your app (the value you passed to rig app new or the app create endpoint).
Requests made from inside the workspace (e.g. between services on localhost) do not need this header. It is only required for requests arriving from the public internet.
The app detail page in the dashboard includes this header automatically in the Usage tab examples when the app is private. See App Visibility for more details.

Access control

Rigbox supports fine-grained RBAC for multi-user accounts via the Access Control API. This feature is currently in preview and available to select accounts.

Error responses

StatusDescription
401 UnauthorizedMissing, expired, or invalid credential
403 ForbiddenValid auth but insufficient permissions for the requested resource
{
  "message": "Missing Authorization header"
}