Cluster API Keys

Cluster API keys are used to authenticate requests with the Inferable API. Each key is associated with one cluster, and can has permission to:

API keys are intended for usage within trusted environments, i.e from your service’s backend. They are not intended for front end usage, instead see Customer Provided Secrets

SDKs

The Inferable SDKs (except for @inferable/sdk-react require an API key, if none is provided explicitly it will attempt to use the environment variable INFERABLE_API_SECRET

const client = new Inferable({
  apiSecret: "YOUR_API_SECRET",
});

API Key Management

New secrets can be created (and revoked):

Customer Provided Secrets

Customer Provided Secrets allows you to call any of the Run API endpoints using a token that your are responsible for validating. This is in contrast to Cluster API Keys which are vaildated by Inferable.

This allows usage of the Inferable API’s from your front end application without exposing an API Key.

Assuming your application has some kind of authentication token for the user’s session, you can pass this token into calls to Inferable. If available, the default.handleCustomerAuth will be used to validate the token (Otherwise the request will be rejected).

Customer Provided Secrets are provided to API calls via the Authorization header and delimited by the customer scheme:

Authorization: "customer MY_TOKEN"

A Run which is created with a customer provided secret can only be managed with that same secret (or a non-customer managed API secret).

handleCustomerAuth

The JSON serialized object returned from default.handleCustomerAuth will be passed to all subsequent calls in the run within the context object, allowing for authentication context (userId, etc) to be propagated. If the function throws an error, the request will not be permitted.

Subsequent function calls in the Run will receive the auth context as a parameter.

client.default.register({
  name: "checkTime",
  func: async (_input, context) => {
    //{
    //  runContext: null
    //  authContext: {
    //    userID: "abc-123"
    //  }
    //}
    console.log(context);
  },
});

const run = await client.run({
  initialPrompt: "What is the current time?",
  context: {
    timeZone: "Australia/Adelaide",
  },
});

If you would like to pass context to all calls in a run without using a customer provided token, see run.context.

client.default.register({
  name: "handleCustomerAuth",
  func: (input) => {
    // Perform your token validation here, throw if unsuccessful.
    return { userID: "abc-123" };
  },
  schema: handleCustomerAuthSchema,
  config: {
    cache: {
      keyPath: "$.token",
      ttlSeconds: 60,
    },
  },
});

CLI Authentication

When using the Inferable CLI, no API keys are required. The CLI retrieves a short lived (1hr) token when the inf auth login command is run.

Was this page helpful?

Core ConceptsRuns