Authentication
Crew supports multiple authentication methods depending on your use case. This guide covers API keys for server-to-server communication and JWT tokens for user-scoped access.Authentication Methods
| Method | Use Case |
|---|---|
| API Keys | Server-to-server, backend integrations |
| JWT Tokens | User-scoped access, frontend applications |
| OAuth 2.0 | Third-party integrations (Enterprise) |
API Keys
API keys provide full access to your workspace’s resources. Use them for backend integrations and server-to-server communication.Creating API Keys
1
Navigate to Settings
Go to your Workspace → Settings → API Keys
2
Create New Key
Click Create API Key
3
Name and Configure
Give it a descriptive name and set permissions
4
Copy Key
Copy the key immediately—it won’t be shown again
Using API Keys
Include the key in theAuthorization header:
Key Prefixes
| Prefix | Environment |
|---|---|
crew_sk_live_ | Production |
crew_sk_test_ | Sandbox/Test |
Key Permissions
Scope API keys to specific permissions:| Permission | Description |
|---|---|
*:read | Read access to all resources |
*:write | Write access to all resources |
calls:read | Read call data |
calls:write | Create and modify calls |
agents:read | Read agent configurations |
agents:write | Modify agent configurations |
analytics:read | Access analytics data |
Rotating Keys
Rotate keys periodically for security:1
Create New Key
Create a new API key with the same permissions
2
Update Applications
Update your applications to use the new key
3
Revoke Old Key
Delete the old key once all applications are updated
Revoking Keys
Immediately revoke compromised keys:JWT Tokens
JWT tokens provide user-scoped access, ideal for frontend applications and user-specific operations.Generating Tokens
Generate tokens server-side:Using JWT Tokens
Token Structure
Refreshing Tokens
Before expiration, refresh tokens:OAuth 2.0 (Enterprise)
For third-party integrations, Crew supports OAuth 2.0.Authorization Code Flow
- Redirect to authorization:
- User authorizes the application
- Exchange code for token:
Client Credentials Flow
For server-to-server without user context:Security Best Practices
API Keys
Store securely
Store securely
Use environment variables or secret managers. Never hardcode keys.
Use minimal permissions
Use minimal permissions
Grant only the permissions needed for each key.
Rotate regularly
Rotate regularly
Rotate keys at least every 90 days.
Monitor usage
Monitor usage
Review API key usage logs for anomalies.
Use separate keys per environment
Use separate keys per environment
Development, staging, and production should have different keys.
JWT Tokens
Short expiration
Short expiration
Use short-lived tokens (1 hour or less).
Validate on server
Validate on server
Always validate tokens server-side before trusting claims.
Use HTTPS only
Use HTTPS only
Never transmit tokens over unencrypted connections.
IP Allowlisting
Restrict API access to specific IP addresses:Audit Logging
All authentication events are logged:| Event | Description |
|---|---|
api_key.created | New API key created |
api_key.used | API key used for request |
api_key.revoked | API key deleted |
token.issued | JWT token generated |
token.refreshed | JWT token refreshed |
auth.failed | Authentication failure |
Error Codes
| Code | Description | Solution |
|---|---|---|
invalid_api_key | Key is malformed | Check key format |
expired_api_key | Key has been revoked | Create new key |
insufficient_permissions | Key lacks required permission | Add permissions |
expired_token | JWT has expired | Refresh token |
invalid_token | JWT signature invalid | Generate new token |
ip_not_allowed | Request from blocked IP | Update allowlist |
Next Steps
- API Overview — Full API reference
- Webhooks — Secure webhook verification
- SSO — Enterprise identity management