Skip to main content
DocsAPI Open PlatformAuthentication and Rate Limiting

Authentication and Rate Limiting

Bearer / X-API-Key / query three writing methods, package rate limit, HTTP status code semantics.

All endpoints of the open platform are uniformly authenticated through API Key. This page explains clearly the three ways of writing Tokens, package rate limits, and the semantics of error responses.

Three Authentication Writing Methods

bash
curl https://braidrun.com/api/v1/workflows \
  -H "Authorization: Bearer dyk_<id>_<secret>"

The most standard writing method, supported by all SDKs by default. Production environment is preferred.

2.X-API-Key Header

bash
curl https://braidrun.com/api/v1/workflows \
  -H "X-API-Key: dyk_<id>_<secret>"

Suitable for scenarios where the proxy of some closed networks cannot forward the Authorization Header. Functionally equivalent to Bearer.

3. Query Parameter ?api_key= (Only in Scenarios Where Header Cannot Be Written)

text
https://braidrun.com/api/webhook-trigger/approval/appr-123/approve?api_key=dyk_<id>_<secret>
Use query parameters with caution

Query parameters will be recorded in browser history, Referer Header, HTTP server access logs, and CDN logs. It is only used in scenarios that must be triggered in the form of GET links (such as email/Slack/Telegram one-click approval links), and is used with a short TTL Key. Never give up Bearer priority to query parameters.

Priority

  1. Authorization: Bearer dyk_…
  2. X-API-Key: dyk_…
  3. ?api_key=dyk_…

Try from top to bottom and stop parsing when you find a non-empty one.

Rate Limiting

Each API Key has two upper limits of "per minute" and "daily", which are automatically applied according to the Key owner's package. Each Key has an independent quota and is not shared with other Keys in the same account.

Package Comparison Table

PackagePer MinuteDaily
Free602,000
Pro30050,000
Team1,200500,000
Enterprise6,000Any

Window Semantics

  • minute window · Use epoch minutes as key, and the boundary is automatically reset every minute (not the sliding window starting from the first call)
  • daily (day window) · Use UTC date as key, automatically reset at 00:00 UTC every day

When the Limit Is Reached

http
HTTP/1.1 429 Too Many Requests
Retry-After: 38
X-RateLimit-Limit: 60
X-RateLimit-Window: minute
Content-Type: application/json

{
  "error": "Rate limit exceeded",
  "window": "minute",
  "limit": 60,
  "retryAfterSeconds": 38
}

The client should:

  • Read the Retry-After Header (number of seconds), delay for the corresponding length of time and then try again
  • X-RateLimit-Window Tells you which window was hit (minute/day)
  • Exponential backoff + jitter; don't retry immediately after receiving 429
Multiple Keys to split traffic

Need higher throughput? Independent keys are issued for different environments/different integrations, and each key receives a full quota. A Pro user opening 3 Keys equals a total capacity of 900 RPM. This is also the best practice for accident location - when a problem occurs, you only need to look at which Key has abnormal usage.

HTTP Response Code

Status CodeMeaningCoping Strategies
200Success
202Accepted (when execution is started)Poll the status with the returned executionId
400Invalid request body (JSON/field error)Fix request; do not retry
401Token is missing/wrong format/revoked/expired/insufficient scopeRecheck Token and scope; do not try again
403Token owner account has been deactivated/lockedContact your account administrator; do not try again
404Resource does not exist or has no visibilityCheck ID/scope; don't retry
409Status conflict (e.g. approval has been decided)Query the current status again
429Rate LimitingRetry after complying with Retry-After
500/502/503Server errorExponential backoff + jitter, retry 3-5 times
Why 401 does not distinguish between reasons

Token missing, expired, revoked, and insufficient scope all return 401 uniformly, without exposing the specific failure reason - this avoids attackers from using trial and error to detect which keys exist/which scopes are enabled. The complete failure reason (reason field) is retained in the audit log and can be checked by the administrator.