Authentication
Configure API keys and manage access to the Metalogue API.
Authentication
Metalogue uses API keys for authentication. All API requests must include a valid API key.
API Keys
Creating an API Key
- Go to app.metalogue.xyz/settings/api-keys
- Click Create API Key
- Name your key (e.g., "Production", "Development")
- Select permissions (or use default for full access)
- Copy the key immediately—it won't be shown again
API Key Format
Metalogue API keys have the format:
mlo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The mlo_ prefix identifies Metalogue keys and enables faster validation.
Using Your API Key
Include the API key in the Authorization header:
curl -X POST https://api.metalogue.xyz/v1/federate \
-H "Authorization: Bearer mlo_your_api_key" \
-H "Content-Type: application/json" \
-d '{"query": "What was the auth decision?"}'
Or use the SDKs:
TypeScript:
const client = new MetalogueClient({
apiKey: process.env.METALOGUE_API_KEY,
});
Python:
client = MetalogueClient(api_key=os.environ["METALOGUE_API_KEY"])
Go:
client := metalogue.NewClient(os.Getenv("METALOGUE_API_KEY"))
Environment Variables
We recommend storing API keys in environment variables:
# .env file
METALOGUE_API_KEY=mlo_your_api_key
METALOGUE_BASE_URL=https://api.metalogue.xyz # Optional
Key Permissions
API keys can be scoped to specific permissions:
| Permission | Description |
|---|---|
query | Execute federated queries |
federate | Cross-node federation |
connector:read | List and view connectors |
connector:write | Create, update, delete connectors |
audit:read | View audit logs |
audit:export | Export compliance reports |
Creating Scoped Keys
// Admin action - not available in SDK
// Create via dashboard or Admin API
Rate Limits
API requests are rate-limited per API key:
| Plan | Requests/min | Requests/hour |
|---|---|---|
| Free | 60 | 1,000 |
| Pro | 300 | 10,000 |
| Enterprise | Custom | Custom |
Rate limit headers are included in every response:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 58
X-RateLimit-Reset: 1706745600
When rate limited, you'll receive a 429 Too Many Requests response:
{
"error": "rate_limit_exceeded",
"message": "Rate limit exceeded. Retry after 42 seconds.",
"retry_after": 42
}
SSO Authentication (Enterprise)
For enterprise deployments, Metalogue supports:
SAML 2.0
Configure your identity provider:
- Go to Settings → SSO → SAML
- Enter your IdP metadata URL or upload metadata XML
- Configure attribute mappings
- Test the connection
Required Attributes:
email(NameID or attribute)name(optional)groups(optional, for role mapping)
OIDC
Configure OpenID Connect:
- Go to Settings → SSO → OIDC
- Enter your Client ID and Client Secret
- Enter your Issuer URL
- Test the connection
Supported Providers:
- Okta
- Azure AD
- Google Workspace
- Auth0
- OneLogin
Service Accounts
For machine-to-machine authentication (CI/CD, scheduled jobs):
// Service accounts use the same API key format
// but are not tied to a user
const client = new MetalogueClient({
apiKey: process.env.METALOGUE_SERVICE_ACCOUNT_KEY,
});
Create service accounts in Settings → API Keys → Service Accounts.
Security Best Practices
- Never commit API keys to version control
- Use environment variables for all keys
- Rotate keys regularly (every 90 days recommended)
- Use scoped permissions when possible
- Monitor usage in the dashboard
Revoking Keys
To revoke an API key:
- Go to Settings → API Keys
- Find the key to revoke
- Click Revoke
- Confirm the action
Revoked keys are immediately invalidated.