Authentication
ASG Gateway uses API keys issued per customer. All authenticated routes expect:
Authorization: Bearer <api_key>
Register (no auth)
curl -sS -X POST https://api.asgrefinery.io/v1/customers \
-H 'Content-Type: application/json' \
-d '{"name":"Acme","email":"ops@acme.example"}'
Success (201):
{
"customer_id": "cust_...",
"api_key": "sk_sandbox_...",
"tier": "sandbox",
"label_quota": 500,
"message": "Store this API key securely — it cannot be retrieved again."
}
Error (409):
{
"error": "email already registered"
}
API key format
| Prefix | Meaning |
|---|---|
sk_sandbox_... | Sandbox / development tier (default at registration) |
sk_live_... | Production tier (issued when your account is upgraded) |
The Gateway stores a hash of the key; the raw value is returned once at registration.
Profile (auth required)
curl -sS -H "Authorization: Bearer $API_KEY" \
https://api.asgrefinery.io/v1/customers/me
Success (200):
{
"customer_id": "cust_...",
"name": "Acme",
"email": "ops@acme.example",
"tier": "sandbox",
"label_quota": 500,
"created_at": 1712659200,
"api_key_hint": "sk_sand..."
}
Python SDK
import os
import requests
r = requests.get(
"https://api.asgrefinery.io/v1/customers/me",
headers={"Authorization": f"Bearer {os.environ['API_KEY']}"},
timeout=30,
)
print(r.status_code, r.json())
warning
The Console and SDKs use the same Bearer scheme — never log the full key.
Auth failures
| HTTP | Body (typical) | Meaning |
|---|---|---|
| 401 | {"error":"invalid API key"} | Missing Authorization, wrong scheme, or unknown key |
| 403 | {"error":"quota exhausted"} | Key is valid but label quota is exhausted (see Billing) |
Example 401:
{
"error": "invalid API key"
}
Security practices
- Store keys in environment variables or a secrets manager (Vault, AWS Secrets Manager, etc.).
- Rotate if a key leaks: register a new account or contact support for live-key rotation on enterprise tiers.
- Never commit keys to git; use
.envexcluded from VCS.