Authentication
Learn how to authenticate with OneBudd STS using API keys and session tokens.
API Key Structure
OneBudd uses Stripe-style API keys with distinct prefixes for test/live modes and publishable/secret keys. This makes it easy to identify key types at a glance.
Publishable Keys
Safe for client-side code. Used to identify your account.
pk_test_pk_live_Secret Keys
Server-side only. Never expose in client code.
sk_test_sk_live_Key Prefix Reference
// API Key Prefixes
pk_test_ → Publishable test key (client-side safe)
pk_live_ → Publishable live key (client-side safe)
sk_test_ → Secret test key (server-side only)
sk_live_ → Secret live key (server-side only)Session Authentication
After establishing a WebSocket connection, authenticate the session using the session.init event:
Session Initialization
// Session initialization via WebSocket
const initEvent = {
type: "session.init",
version: "1",
timestamp: Date.now(),
payload: {
auth_token: "sk_live_xxxxxxxxxxxxx"
}
};
socket.send(JSON.stringify(initEvent));The server responds with session.started on success.
SDK Authentication
The SDK handles session management automatically:
SDK Authentication
import { OneBuddClient } from '@onebudd/sdk';
// Initialize with API key
const client = new OneBuddClient({
baseUrl: 'wss://api.onebudd.com'
});
// Start authenticated session
await client.startSession({
auth_token: process.env.ONEBUDD_SECRET_KEY
});Test vs Live Mode
Test Mode
- • Use
_test_keys - • Free API usage for development
- • Simulated responses available
- • Rate limits may differ
Live Mode
- • Use
_live_keys - • Real API calls, billed usage
- • Production-ready responses
- • Full rate limits apply
Security Best Practices
- Never expose secret keys (
sk_) in client-side code - Use environment variables to store keys on the server
- Rotate keys immediately if compromised
- Use test keys during development, live keys only in production
- Implement key rotation policies for enhanced security