Authentication
The LaunchGate API supports two authentication modes.
API key authentication
Used by the SDK, CLI, and GitHub Action. API keys start with lg_.
Authorization: Bearer lg_live_your_key_here- Keys are validated against bcrypt hashes in the database
- Must have
product_slug = 'launchgate'and not be revoked/expired - Resolves to an
org_idthat scopes all subsequent queries
JWT authentication
Used by the dashboard. JWTs are issued by Auth0 and start with eyJ.
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...- Validated via Auth0 JWKS endpoint
- Must contain the LaunchGate API audience (
https://api.launchgate.ai) - Resolves to a
user_idandorg_id
Auth context
Both modes resolve an authentication context:
{
orgId: string; // Organisation ID (always present)
userId: string | null; // User ID (JWT only, null for API keys)
authMode: "api_key" | "jwt";
apiKeyId: string | null; // API key ID (API key only)
}All data queries are scoped to the resolved orgId.
Brute-force protection
The API implements brute-force protection:
- 10 failed authentication attempts per IP address within a 15-minute window
- After exceeding the limit, all requests from that IP receive
401until the window resets
If you’re getting unexpected 401 errors, check that you haven’t exceeded the brute-force limit. Wait 15 minutes or use a different API key.
Public endpoints
These endpoints do not require authentication:
| Endpoint | Description |
|---|---|
GET /health | API health check |
GET /v1/templates | List eval templates |
GET /v1/templates/:slug | Get a specific template |
Last updated on