Authentication

API requests are authenticated with an API key. The same key authenticates the full API surface, REST endpoints and cloud browser sessions, so you only need to generate one.

Generate an API key


You can generate a key from three places. They all create the same account-scoped key, use whichever surface you already have open.

Signing up from code? If you're writing an agent, a Claude skill, or any tool that needs to onboard its own users without sending them to the dashboard first, see Programmatic signup for the three-call REST flow that creates an account and mints a key end-to-end.

From the Chrome extension

  1. Open the Dashboard.
  2. In the left sidebar, click Credentials and API key.
  3. Scroll to Generate Axiom API token.
  4. Click Show API Token to reveal an existing key, or Refresh API Token to generate a new one.
  5. Copy the value.

From the Code Dashboard

  1. Open the Code dashboard.
  2. Click the Settings cog in the left sidebar.
  3. Select API key.
  4. Click Delete and re-generate API key.
  5. Copy the value.

From the Live editor

The Live editor has a shortcut so you can paste a key (or generate one) without leaving the script you're testing.

  1. Open the Code dashboard.
  2. Click Live editor, then Test Puppeteer scripts.
  3. Paste your key into the API key field, or click Generate key to create a new one.

The key is automatically substituted into the [HIDDEN_KEY] placeholder in the example script, so you can run it immediately.

Warning: generating a new key immediately invalidates the previous one. Any external integration using the old key (Zapier, Make, custom scripts, MCP servers, Puppeteer connections) stops working until you update it.

Use the key in a request


For REST endpoints, the API key can be passed in any of three transports — pick whichever fits your stack. The server checks them in this order: body, header, bearer; the first one that's set is used.

curl -X POST https://lar.axiom.ai/api/v5/browser/open \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: your-api-key-here" \
  -d '{}'

This is the transport the @axiom_ai/api Node library uses and the cleanest fit for most clients.

Authorization: Bearer header

curl -X POST https://lar.axiom.ai/api/v5/browser/open \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-api-key-here" \
  -d '{}'

Useful when your HTTP client already has Bearer-token plumbing.

key field in the JSON body

curl -X POST https://lar.axiom.ai/api/v3/remaining-runtime \
  -H "Content-Type: application/json" \
  -d '{"key": "your-api-key-here"}'

The legacy transport. Required by POST /api/v3/trigger and POST /api/v3/stop, whose controllers read the key from the body directly rather than going through the shared auth middleware. Optional everywhere else.

CDP WebSocket

For cloud browser sessions opened over the Chrome DevTools Protocol, the key is passed as the token query parameter on the WebSocket endpoint.

const browser = await puppeteer.connect({
  browserWSEndpoint: "wss://cdp-lb.axiom.ai/?token=your-api-key-here"
});

What the key authenticates


A single key authenticates the full API surface:

  • Trigger and manage cloud automation runs (/trigger, /stop, /run-data).
  • Check account quota (/remaining-runtime).
  • Drive cloud browser sessions over CDP (Puppeteer, Playwright, or the imperative session functions).

Keys are account-scoped: there is no per-automation, per-team, or per-integration key today, and only one active key per account at a time.

Security best practices


Treat your API key like a password.

  • Don't commit it to git, even in private repos.
  • Store it in environment variables or a secrets manager, not in client-side code. A key in client-side JavaScript is a key the world has.
  • Rotate the key if you suspect it's been exposed. Remember to update every integration immediately afterwards, the old key stops working as soon as the new one is generated.
  • When sharing automations or scripts with teammates, share the source, not the key. Each developer can generate their own.