API Reference
Authentication - Bijak Cloud Docs
API keys, OAuth2, and service accounts for the Bijak Cloud API.
Overview
Bijak Cloud supports three authentication mechanisms for the API: API keys for scripts and CI, OAuth2 for user-facing applications, and service accounts for unattended workloads. Choose the one that matches the use case โ never embed API keys in user-facing code.
API keys
API keys are the simplest option. Create one in the dashboard under Settings โ API keys. Keys are scoped to a single workspace and a set of permissions.
curl -X POST https://api.bijakcloud.example/v1/inference/chat \
-H "Authorization: Bearer $BIJAK_API_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"bijak-merlion-13b","messages":[{"role":"user","content":"hi"}]}'Keys are rotated by creating a new one and revoking the old. Revocation is immediate and produces a single audit event.
Best for: scripts, CI pipelines, and developer workstations. Keys should never be embedded in client-side code.
OAuth2
For user-facing applications, use OAuth2 with PKCE. Bijak Cloud supports the authorization-code flow and returns short-lived access tokens plus a refresh token.
const authUrl = new URL('https://auth.bijakcloud.example/oauth/authorize');
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('redirect_uri', REDIRECT_URI);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('code_challenge', pkceChallenge);
authUrl.searchParams.set('code_challenge_method', 'S256');
authUrl.searchParams.set('scope', 'inference.read inference.write rag.read rag.write');Exchange the code for tokens at the /oauth/token endpoint. Access tokens expire after 1 hour; refresh tokens after 30 days.
Service accounts
Service accounts are non-human identities for production workloads. They support key rotation without downtime, scoped permissions, and per-identity audit trails.
const sa = client.serviceAccounts.create({
name: 'inference-prod',
scopes: ['inference.read', 'inference.write'],
rotationDays: 90,
});
const newKey = await sa.rotateKey();Service-account keys can be rotated programmatically and the old key remains valid for a 24-hour overlap window to avoid downtime.
Audit logging
Every authentication event โ key creation, revocation, OAuth2 token issuance, service-account rotation โ produces an audit log entry visible in the dashboard and exportable to your SIEM. Auth logs include the actor, the action, the source IP, and the user agent.
Next steps
- Read the Inference API reference for request/response shapes.
- Review RAG API for document upload and corpus management.
- See Concepts: Sovereignty for how auth integrates with the audit posture.