Authentication

The Workjet API supports two authentication methods: session cookies for browser-based access (Portal, Marketplace) and API keys for programmatic access. All API requests must be authenticated.

Session Cookies

Session-based authentication is used by the Portal and Marketplace web applications. When you sign in with Google OAuth, a secure session cookie is set:

Cookie name: wj_session
Flags: HttpOnly, Secure, SameSite=Lax
Domain: .workjet.dev (shared across subdomains)
Duration: 7 days, refreshed on each request

Cross-subdomain session sharing means signing in to portal.workjet.dev also authenticates you on marketplace.workjet.dev and api.workjet.dev.

Session cookies are set automatically by the browser during the OAuth flow. You don't need to manage them manually unless building a custom integration.

API Keys

API keys are used for programmatic access to the Workjet API from scripts, CI/CD pipelines, or the desktop app. Keys are prefixed with wj_live_ for easy identification.

Key Format

wj_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Keys are 32+ character alphanumeric strings prefixed with wj_live_.

How to Get an API Key

Sign in to portal.workjet.dev
Navigate to Settings > API Keys
Click Create API Key
Give the key a descriptive name (e.g., "CI/CD Pipeline" or "Desktop App")
Copy the key immediately

Important: The raw API key is shown only once at creation. Workjet stores a SHA-256 hash of the key, not the key itself. If you lose the key, you'll need to create a new one. Store it securely (e.g., in a password manager or secrets vault).

Key Hashing

API keys are hashed with SHA-256 before storage. When a request arrives, the gateway hashes the provided key and compares it against stored hashes. This means:

A database breach does not expose raw API keys
Keys cannot be recovered — only replaced
Key validation is fast (hash comparison)

Using an API Key

Include the API key in the Authorization header as a Bearer token:

Authorization: Bearer wj_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Example: cURL

curl -X POST https://api.workjet.dev/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer wj_live_a1b2c3d4..." \
  -d '{
    "model": "claude-4-sonnet",
    "messages": [
      { "role": "user", "content": "Hello, world!" }
    ]
  }'

Example: JavaScript (fetch)

const response = await fetch('https://api.workjet.dev/v1/chat/completions', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer wj_live_a1b2c3d4...',
  },
  body: JSON.stringify({
    model: 'claude-4-sonnet',
    messages: [
      { role: 'user', content: 'Hello, world!' }
    ],
  }),
});

Error Responses

Status	Code	Description
`401`	`unauthorized`	Missing or invalid API key / session cookie
`403`	`forbidden`	Valid credentials but insufficient permissions for the requested resource
`429`	`rate_limited`	Too many requests. Check `X-RateLimit-*` headers for retry timing

Revoking a Key

To revoke an API key:

Navigate to Settings > API Keys in the Portal
Find the key by its name
Click Revoke
Confirm the revocation

Revoked keys are immediately invalid. Any requests using a revoked key receive a 401 Unauthorized response.

Next Steps

Use API keys with the Chat Completions API
Manage skills via the Skills API
Control automations via the Automations API