Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.sigmic.ai/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

All Task Execution API endpoints require authentication. You can authenticate using either an API key (for server-side integrations) or a JWT token (for browser-based widgets).
MethodFormatUse Case
API Keysigmic_...Server-side integrations, scripts, CI/CD
JWT TokeneyJ...Browser widgets, embedded chat UIs
For browser-based integrations where code is visible to end users, use Widget Authentication with short-lived JWTs instead of exposing API keys.

API Key Authentication

Getting Your API Key

API keys are created through the Console:
  1. Log in to your Sigmic AI account
  2. Open the Console and select a project
  3. Go to the API Keys tab in project settings
  4. Click Create API Key
  5. Give your key a name and optional expiration
  6. Copy and securely store the generated key
The secret key is only shown once during creation. Store it securely immediately - you won’t be able to see it again.
API keys are scoped to projects. Tasks created with an API key use the configuration (MCP servers, skills, tool policies) from that key’s associated project.

Using Your API Key

Include your API key in every request using one of these methods: 
Authorization: Bearer sigmic_your_api_key_here

Option 2: X-API-Key Header

X-API-Key: sigmic_your_api_key_here

API Key Format

API keys follow this format: 
sigmic_ + 64 hexadecimal characters
Example: 
sigmic_3898e123bff7df20c5a60c5ce4b8b8fe316ef15cc90cb71c976eb752b8bfe7ca

Example Request

curl -X GET https://api.sigmic.ai/api/v1/tasks \
  -H "Authorization: Bearer sigmic_3898e123bff7df20c5a60c5ce4b8b8fe316ef15cc90cb71c976eb752b8bfe7ca"

JWT Authentication (Widgets)

For browser-based widgets and embedded UIs, use short-lived JWT tokens instead of API keys. See the Widget Authentication guide for the full setup flow.

Using a JWT

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
JWT tokens work with all the same Task API endpoints as API keys. The auth middleware auto-detects the format based on the token prefix.

Authentication Errors

Error CodeHTTP StatusDescription
AUTH_REQUIRED401No authentication was provided in the request
INVALID_API_KEY401The API key is invalid or has expired
INVALID_AUTH_FORMAT401Token format not recognized
INVALID_TOKEN401JWT is invalid or has expired
JWT_NOT_CONFIGURED501Server does not have JWT signing configured
ORIGIN_NOT_ALLOWED403Request origin not in widget app’s allowed origins

Organization Context

API keys are scoped to projects, and projects belong to an organization. When you authenticate with an API key:
  • Tasks run using the project’s configuration (MCP servers, skills, tool policies)
  • Usage is tracked at the organization level
  • Only organization members with access to the project can manage its API keys
The JWT tokens issued on login include the user’s orgId and orgRole claims, which are used for authorization across all endpoints.

Security Best Practices

API keys should only be used in server-side code. Never include them in JavaScript that runs in the browser, mobile apps, or any code that could be inspected by users.
Store your API key in environment variables rather than hardcoding it in your source code.
export SIGMIC_API_KEY="sigmic_your_key_here"
Create new API keys periodically and disable old ones. You can manage multiple keys through the Settings panel.
Create separate API keys for development, staging, and production environments so you can revoke them independently if needed.