Loading...
Loading...
DRD.io uses three authentication domains: dashboard auth (Clerk), API keys for server-to-server, and Ed25519 JWT tokens for the SDK.
Domain 1
Dashboard users authenticate via Clerk, supporting email/password, GitHub OAuth, and Google OAuth. Sessions are managed automatically.
Standard credential-based auth
One-click sign-in via GitHub
One-click sign-in via Google
Enterprise plan only
Domain 2
API keys are used for server-to-server API calls. Keys are created in the dashboard and follow this format:
drd_live_sk_a1b2c3... # Live key
drd_test_sk_x9y8z7... # Test keyFull key shown only once at creation — copy and store securely
Keys stored as SHA-256 hash + 6-character prefix for lookup
Keys can be scoped to specific workspaces and permissions
Keys can be rotated or revoked instantly from the dashboard
# Pass in Authorization header
curl -H "Authorization: Bearer drd_live_sk_a1b2c3..." \
https://api.drd.io/api/v1/agentsDomain 3
For high-frequency SDK operations (like guard()), API keys are exchanged for short-lived JWT tokens signed with Ed25519. These tokens expire after 15 minutes and are automatically refreshed.
// Token exchange (handled automatically by the SDK)
POST /api/v1/tokens
Authorization: Bearer drd_live_sk_...
// Response
{
"token": "eyJhbGciOiJFZDI1NTE5...",
"expiresAt": "2026-02-09T12:15:00Z"
}API keys and SDK tokens can be scoped to specific permissions.
| Scope | Description |
|---|---|
| agents:read | View agent details and reputation |
| agents:write | Create, update, delete agents |
| policies:read | View policies |
| policies:write | Create, update, delete policies |
| policies:evaluate | Evaluate actions against policies |
| events:write | Ingest events |
| events:read | Query and stream events |
| enforcement:read | View enforcements |
| enforcement:write | Create and manage enforcements |
| approvals:manage | Approve or deny requests |