Skip to main content
Protector Plus authenticates API calls using an organization-wide API key combined with an App ID to identify which application and security profile to apply.

Authentication model

The current authentication architecture (1.1.x) uses a per-app security profile model:
  • Org-wide API key — A single API key for your entire organization, generated in Org Settings
  • App ID — A unique identifier for each registered application
  • Security Profile — Each app is bound to a security profile that defines its guardrail configuration

How it works

When you make an API call:
  1. The system validates your X-API-Key against the org-wide credential
  2. It looks up your app using X-App-ID
  3. It retrieves the security profile bound to that app
  4. It applies the guardrails configured in that profile

Setting up authentication

Step 1: Generate the org-wide API key

1

Navigate to Org Settings

Sign in as an admin → Org Settings in the dashboard sidebar.
2

Generate the API key

Click Generate to create your organization-wide API key.
3

Store the key securely

The key is shown once. Save it in a secrets manager — Vault, AWS Secrets Manager, GCP Secret Manager, Doppler, etc.
The key is hashed (SHA-256) and stored securely. If lost, you must generate a new key, which will invalidate the previous one.

Step 2: Register your application

1

Navigate to Apps

Dashboard → AppsRegister App.
2

Fill the registration form

  • App Name: Human-readable name (e.g., “HR Chatbot”)
  • App ID: Unique identifier (e.g., hr-chatbot, customer-support-bot)
  • Security Profile: Select which security profile to bind this app to
3

Save and note the App ID

Your App ID will be shown (masked as app-•••• with a reveal button). Copy it for use in API calls.
Multiple applications can share the same security profile. This is useful when you have several apps that need identical guardrail configurations.

Using the API credentials

All authenticated endpoints require both headers:
Both headers are required. Providing only one will return a 401 Unauthorized error.

Error responses

Default security profile (optional)

You can omit the X-App-ID header if using a valid org-wide API key. In this case, Protector Plus will use the security profile marked as default.
If no security profile is marked as default, requests without X-App-ID will return 404 Default security profile not configured.

Key scope and usage

Rotation

To rotate your org-wide API key:
  1. Generate a new key from Org Settings
  2. Roll the new key into your applications’ secret stores
  3. Deploy your applications with the new key
  4. Once all traffic has migrated, delete the old key from the dashboard
During rotation, you can temporarily have multiple keys active by generating a new one before deleting the old one.

Need an API key?

Get an API key

Request a sandbox key for evaluation or arrange a deeper technical conversation.