MuBit runtime access uses API keys across SDK, HTTP, and gRPC surfaces. Correct key handling is operationally critical for developer teams.
Most authentication incidents in AI platform integrations come from key and environment drift, not protocol design. Keep endpoint-key pairing explicit, keep keys server-side only, and run controlled rotation workflows. This gives predictable auth behavior across development, staging, and production.
API key model
- Key format:
mbt_<instance_tag>_<key_id>_<secret>
- Header:
Authorization: Bearer <api_key>
Canonical environment setup:
MUBIT_API_KEY="mbt_<instance>_<key_id>_<secret>"
Key lifecycle endpoints
| Route | Purpose |
|---|
POST /v2/core/auth/users | Create user and initial key |
POST /v2/core/auth/users/:username/rotate_key | Rotate user key |
POST /v2/core/auth/users/:username/revoke_key | Revoke active key |
GET /v2/core/auth/users | List users |
GET /v2/core/auth/users/:username | Inspect user |
Never expose MuBit API keys in browser clients.
Failure modes and troubleshooting
| Symptom | Root cause | Fix |
|---|
| Invalid key format errors | Truncated or malformed key | Re-issue and validate full mbt_... value |
| Repeated 401/403 | Wrong key, revoked key, or wrong endpoint | Verify endpoint-key pairing and rotate if needed |
| Partial rollout failures | Mixed key versions after rotation | Stage rollout and confirm complete deploy |
Next steps
