Authentication - Starfort

The Guard API authenticates with an API key sent in a request header.

The header

X-Starfort-Guard-Api-Key: sf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys are created per Guardian in the Console and start with sf_.
A key is shown once at creation — store it securely.
The key’s name is recorded as a tag on every trace, so name keys by caller/environment.

There are no auth query parameters — authentication is header-only.

Invalid or missing key

A key is rejected with HTTP 401 when it is missing, not found / malformed, or revoked. Revocation is permanent and irreversible — a revoked key never authenticates again.

{
  "ok": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid credentials (getApiGuardGate)",
    "details": "API_KEY_INVALID"
  }
}

Authentication vs. active state

Authentication (the 401 above) is checked before, and separately from, whether the key is currently allowed to run. A key that authenticates can still be stopped because an admin toggled it inactive or a Kill Switch fired on a parent resource — those are not 401s and don’t reveal which resource blocked them. See Errors & states.

Managing keys

Keys can be active or inactive, and can be revoked. Revocation is permanent. See Manage API keys for the full lifecycle.

​The header

​Invalid or missing key

​Authentication vs. active state

​Managing keys

The header

Invalid or missing key

Authentication vs. active state

Managing keys