Authentication model
The current authentication architecture (1.1.x) uses a per-app security profile model:- Org-wide API key — A single API key for your entire organization, generated in Org Settings
- App ID — A unique identifier for each registered application
- Security Profile — Each app is bound to a security profile that defines its guardrail configuration
How it works
When you make an API call:- The system validates your
X-API-Keyagainst the org-wide credential - It looks up your app using
X-App-ID - It retrieves the security profile bound to that app
- It applies the guardrails configured in that profile
Setting up authentication
Step 1: Generate the org-wide API key
1
Navigate to Org Settings
Sign in as an admin → Org Settings in the dashboard sidebar.
2
Generate the API key
Click Generate to create your organization-wide API key.
3
Store the key securely
The key is shown once. Save it in a secrets manager — Vault, AWS Secrets Manager, GCP Secret Manager, Doppler, etc.
Step 2: Register your application
1
Navigate to Apps
Dashboard → Apps → Register App.
2
Fill the registration form
- App Name: Human-readable name (e.g., “HR Chatbot”)
- App ID: Unique identifier (e.g.,
hr-chatbot,customer-support-bot) - Security Profile: Select which security profile to bind this app to
3
Save and note the App ID
Your App ID will be shown (masked as
app-•••• with a reveal button). Copy it for use in API calls.Using the API credentials
All authenticated endpoints require both headers:Error responses
Default security profile (optional)
You can omit theX-App-ID header if using a valid org-wide API key. In this case, Protector Plus will use the security profile marked as default.
If no security profile is marked as default, requests without
X-App-ID will return 404 Default security profile not configured.Key scope and usage
Rotation
To rotate your org-wide API key:- Generate a new key from Org Settings
- Roll the new key into your applications’ secret stores
- Deploy your applications with the new key
- Once all traffic has migrated, delete the old key from the dashboard
During rotation, you can temporarily have multiple keys active by generating a new one before deleting the old one.
Need an API key?
Get an API key
Request a sandbox key for evaluation or arrange a deeper technical conversation.

