Skip to main content

Overview

The Puppeteer API uses two authentication methods depending on the context:
  • API Keys for server-to-server calls (organization-scoped)
  • JWT Tokens for client-side and thread-scoped access

API Key

Pass your API key in the Authorization header: 
curl https://api.puppeteerai.com/threads \
  -H "Authorization: YOUR_API_KEY"
API keys are scoped to an organization and grant access to all projects within it.
Keep your API key secret. Never expose it in client-side code or public repositories.

JWT Token

For client-facing integrations, generate a short-lived JWT token scoped to a specific thread: 
curl -X POST https://api.puppeteerai.com/threads/THREAD_ID/token \
  -H "Authorization: YOUR_API_KEY"

{
    "access_token": "eyJhbGciOiJIUzI1..."
}
Use the returned token in place of your API key for subsequent requests on that thread. JWT tokens are ideal for chat widgets and end-user-facing applications where you don’t want to expose your API key.