Authentication
Every request to the Rigbox API (except public endpoints) must include an Authorization header with a valid credential.
API keys
The simplest way to authenticate. Create one from the dashboard under Settings → API Keys, or via the Create API Key endpoint.
curl https://api.rigbox.dev/api/workspaces \
-H "Authorization: Bearer rb_your_api_key_here"
API keys grant full access to your account. Store them in environment variables or a secrets manager — never commit them to source control.
rb_ prefix:
export RIGBOX_API_KEY="rb_..."
curl https://api.rigbox.dev/api/workspaces \
-H "Authorization: Bearer ${RIGBOX_API_KEY}"
Bearer tokens (JWT)
If you authenticate through the dashboard login flow, you receive a JWT that can be used directly:
curl https://api.rigbox.dev/api/workspaces \
-H "Authorization: Bearer eyJhbG..."
Dashboard session tokens
The Rigbox frontends (rigbox.dev, clawd.rigbox.dev, sandbox.rigbox.dev) handle authentication automatically. Session tokens are managed by the dashboard — no extra setup needed for first-party UIs.
Choosing an auth method
| Client type | Recommended | Why |
|---|
| Backend service, CI, agent | API key | Stable, easy to rotate, no expiry |
| First-party dashboard | Session token | User-scoped, automatic refresh |
| Third-party web app | Your backend + API key | Keep keys server-side, proxy requests |
Public endpoints
These endpoints do not require authentication:
GET /capacity — check platform availabilityGET /templates — list available workspace templates
Access control
Rigbox supports fine-grained RBAC for multi-user accounts via the Access Control API. This feature is currently in preview and available to select accounts.
Error responses
| Status | Description |
|---|
401 Unauthorized | Missing, expired, or invalid credential |
403 Forbidden | Valid auth but insufficient permissions for the requested resource |
{
"message": "Missing Authorization header"
}
