Authentication

API key types, generation, and how to authenticate requests

To access the SteelEngine API, you need an API key. SteelEngine supports three types of API keys — personal keys, workspace keys, and organization keys — each with different billing and access behaviors.

Key Types

Personal KeysWorkspace KeysOrganization Keys
Billed toYour individual accountWorkspace ownerWorkspace owner
ScopeAcross workspaces you have access toShared across the workspaceExplicit grants: chosen workspaces and/or individual workflows
Managed byEach user individuallyWorkspace adminsOrganization admins
PermissionsMust be enabled at workspace levelRequire admin permissionsPer-grant read/write/admin level

Workspace admins can disable personal API key usage for their workspace. If disabled, only workspace and organization keys can be used.

Scoped keys

Workspace keys can optionally be narrowed to specific workflows at creation time. Organization keys always carry an explicit scope list — each grant targets a workspace or a single workflow and carries its own permission level (read, write, or admin). A key is rejected with 403 when used outside its grants, and an organization key loses access to a workspace that leaves the organization.

Generating API Keys

To generate a personal or workspace key, open the SteelEngine dashboard and navigate to workspace Settings → API Keys and click Create. Organization keys are managed in Organization Settings → API Keys by organization admins; the workspace settings page also lists which organization keys can reach the current workspace.

API keys are only shown once when generated. Store your key securely — you will not be able to view it again.

Using API Keys

Pass your API key in the X-API-Key header with every request:

curl -X POST https://steelengine.com/api/workflows/{workflowId}/execute \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY" \
  -d '{"inputs": {}}'
const response = await fetch(
  'https://steelengine.com/api/workflows/{workflowId}/execute',
  {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'X-API-Key': process.env.STEELENGINE_API_KEY!,
    },
    body: JSON.stringify({ inputs: {} }),
  }
)
import requests

response = requests.post(
    "{{APP_URL}}/api/workflows/{workflowId}/execute",
    headers={
        "Content-Type": "application/json",
        "X-API-Key": os.environ["STEELENGINE_API_KEY"],
    },
    json={"inputs": {}},
)

Where Keys Are Used

API keys authenticate access to:

  • Workflow execution — run deployed workflows via the API
  • Logs API — query workflow execution logs and metrics
  • MCP servers — authenticate connections to deployed MCP servers
  • SDKs — the Python and TypeScript SDKs use API keys for all operations

Security

  • Keys use the sk-steelengine- prefix and are encrypted at rest
  • Keys can be revoked at any time from the dashboard
  • Use environment variables to store keys — never hardcode them in source code
  • For browser-based applications, use a backend proxy to avoid exposing keys to the client

Never expose your API key in client-side code. Use a server-side proxy to make authenticated requests on behalf of your frontend.

On this page