Skip to content

API authentication

Two ways to authenticate with the API: session cookies for browser use and API keys for programmatic access.

3 min read

Two authentication methods

Le Bureau supports two ways to authenticate API requests:

Session cookies -- used automatically when you are logged into the dashboard. Your browser sends the session cookie with every request. No extra setup needed.

API keys -- used for programmatic access from scripts, CI/CD pipelines, or third-party integrations. You pass the key in the x-api-key HTTP header.

Both methods give you full access to the API. The difference is how you obtain and manage the credential.

Session cookie authentication

When you sign in via Google or GitHub OAuth, Le Bureau creates a secure session. The session cookie is set automatically in your browser and sent with every request to lebureau.talentai.fr.

You do not need to do anything special -- if you are logged in, API calls from the browser just work. This is how the dashboard itself communicates with the API.

Session cookies are httpOnly, secure, and scoped to the Le Bureau domain. They cannot be accessed from JavaScript and are not suitable for use outside the browser.

API key authentication

For programmatic access, create an API key and pass it in the x-api-key header:

curl https://lebureau.talentai.fr/api/desktops \
  -H "x-api-key: lb_k_abc123..."

API keys are:

  • Prefixed with lb_k_ for easy identification
  • Stored as bcrypt hashes -- the plaintext key is shown only once at creation time
  • Scoped to your account -- all desktops and resources you own are accessible
  • Revocable at any time from the dashboard

See API keys for instructions on creating and managing keys.

Rate limiting

Rate limits per endpoint:

LimitThresholdWindow
General API120 requestsper minute
Failed API key auth10 attemptsper 60 seconds per IP

If you exceed the general rate limit, you receive a 429 Too Many Requests response. Wait and retry.

If you send 10 invalid API keys within 60 seconds from the same IP, that IP is temporarily blocked from API key authentication. This prevents brute-force attacks against key values.

Authentication errors

StatusMeaning
401 UnauthorizedNo valid session cookie or API key provided
403 ForbiddenAuthenticated, but you do not have access to this resource
429 Too Many RequestsRate limit exceeded -- slow down

SSE endpoints and API keys

The EventSource browser API does not support custom headers. If you need to consume SSE endpoints (like the activity stream) with an API key, pass the key as a query parameter:

const eventSource = new EventSource(
  '/api/mission-control/activity/stream?apiKey=lb_k_abc123...'
);

This is the only case where the API key should appear in a URL. For all other requests, use the x-api-key header.

Security practices

  • Never share API keys in public repositories, logs, or client-side code
  • Rotate keys periodically -- revoke the old key and create a new one
  • Use one key per integration so you can revoke access granularly
  • Monitor the dashboard for unexpected API key usage

Related docs

API keys

Creating, managing, and revoking API keys for programmatic access.

Authentication and sessions

OAuth login, session management, and cookie security.

NextAPI keys