Authentication
The production server supports optional API key authentication to protect your agent.
Setup
Add one or more of these environment variables to your project's .env:
sh
KLISK_API_KEY=my-secret-key
KLISK_CHAT_KEY=chat-key-1,chat-key-2
KLISK_WIDGET_KEY=widget-key| Variable | Description |
|---|---|
KLISK_API_KEY | General-purpose key(s) — grants access to all endpoints |
KLISK_CHAT_KEY | Chat UI key(s) — only for the chat interface |
KLISK_WIDGET_KEY | Widget key(s) — only for the embeddable widget |
If none of these are set, the server runs without authentication.
Key pooling
You can set multiple keys per variable (comma-separated). Any valid key grants access:
sh
KLISK_API_KEY=key-team-a,key-team-b,key-team-cThis is useful for giving different keys to different teams or clients, and revoking individual keys without affecting others.
How to send the key
REST API
Use the Authorization header:
bash
curl -X POST https://your-url/api/chat \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_KEY" \
-d '{"message": "Hello", "stream": false}'WebSocket
Use the key query parameter:
wss://your-url/ws/chat?key=YOUR_KEYChat UI
When authentication is enabled, the chat UI prompts the user for a key on first visit. The key is stored in localStorage so they don't have to enter it again.
Embeddable widget
Pass the key via the data-key attribute:
html
<script
src="https://your-url/widget.js"
data-key="your-widget-key"
></script>Security
- Keys are compared using constant-time comparison (
hmac.compare_digest) to prevent timing attacks. - Always use HTTPS in production to protect keys in transit.
- Never commit API keys to version control — they should only live in
.envfiles (which are gitignored by default).