Authentication

All API requests require a Bearer token in the Authorization header. API keys start with agd_.

Using Your API Key

Include your key in every request:

curl -X GET https://agentdrop-production.up.railway.app/v1/transfers \
  -H "Authorization: Bearer agd_live_xxxxxxxxxxxxxxxxxxxx"

Requests without a valid key return 401 Unauthorized.

Creating an Account

Create an account to get your first API key:

curl -X POST https://agentdrop-production.up.railway.app/v1/accounts \
  -H "Content-Type: application/json" \
  -d '{"name": "My Org", "email": "dev@myorg.com"}'

{
  "id": "acc_abc123",
  "name": "My Org",
  "api_key": "agd_live_xxxxxxxxxxxxxxxxxxxx"
}

The API key is returned once at creation time. Store it in a secrets manager or environment variable immediately. You cannot retrieve it later.

Creating Additional API Keys

Generate more keys for different agents, environments, or team members:

curl -X POST https://agentdrop-production.up.railway.app/v1/accounts/acc_abc123/api-keys \
  -H "Authorization: Bearer agd_live_xxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"name": "staging-agent"}'

{
  "id": "key_xyz789",
  "name": "staging-agent",
  "api_key": "agd_live_yyyyyyyyyyyyyyyyyyyy"
}

The number of API keys you can create depends on your plan:

Plan	API Keys
Free	1
Pro	10
Enterprise	Unlimited

Revoking API Keys

Revoke a compromised or unused key immediately:

curl -X DELETE https://agentdrop-production.up.railway.app/v1/accounts/acc_abc123/api-keys/key_xyz789 \
  -H "Authorization: Bearer agd_live_xxxxxxxxxxxxxxxxxxxx"

Revoked keys return 401 on all subsequent requests. This is instant and irreversible.

Security Best Practices

Use environment variables

Never hardcode API keys in source code. Store them in environment variables or a secrets manager.

export AGENTDROP_API_KEY="agd_live_xxxxxxxxxxxxxxxxxxxx"

import os
api_key = os.environ["AGENTDROP_API_KEY"]

Use separate keys per environment

Create distinct keys for development, staging, and production. If a staging key leaks, your production traffic is unaffected.

Rotate keys regularly

Create a new key, update your agents, then revoke the old key. Zero-downtime rotation.

Monitor for unauthorized usage

Check your transfer list regularly. Unexpected transfers from unknown senders may indicate a leaked key.

Never expose keys in client-side code

AgentDrop keys are server-side only. Never include them in browser JavaScript, mobile apps, or public repositories.

Error Responses

Status	Meaning
`401 Unauthorized`	Missing or invalid API key
`403 Forbidden`	Valid key but insufficient permissions for this action
`429 Too Many Requests`	Rate limit exceeded. Back off and retry.

Get Started

​Authentication

​Using Your API Key

​Creating an Account

​Creating Additional API Keys

​Revoking API Keys

​Security Best Practices

​Error Responses

Authentication

Using Your API Key

Creating an Account

Creating Additional API Keys

Revoking API Keys

Security Best Practices

Error Responses