Authentication and Rate Limiting
Bearer / X-API-Key / query three writing methods, package rate limit, HTTP status code semantics.
All endpoints of the open platform are uniformly authenticated through API Key. This page explains clearly the three ways of writing Tokens, package rate limits, and the semantics of error responses.
Three Authentication Writing Methods
1. Authorization: Bearer (Recommended)
curl https://braidrun.com/api/v1/workflows \
-H "Authorization: Bearer dyk_<id>_<secret>"The most standard writing method, supported by all SDKs by default. Production environment is preferred.
2.X-API-Key Header
curl https://braidrun.com/api/v1/workflows \
-H "X-API-Key: dyk_<id>_<secret>"Suitable for scenarios where the proxy of some closed networks cannot forward the Authorization Header. Functionally equivalent to Bearer.
3. Query Parameter ?api_key= (Only in Scenarios Where Header Cannot Be Written)
https://braidrun.com/api/webhook-trigger/approval/appr-123/approve?api_key=dyk_<id>_<secret>Query parameters will be recorded in browser history, Referer Header, HTTP server access logs, and CDN logs. It is only used in scenarios that must be triggered in the form of GET links (such as email/Slack/Telegram one-click approval links), and is used with a short TTL Key. Never give up Bearer priority to query parameters.
Priority
Authorization: Bearer dyk_…X-API-Key: dyk_…?api_key=dyk_…
Try from top to bottom and stop parsing when you find a non-empty one.
Rate Limiting
Each API Key has two upper limits of "per minute" and "daily", which are automatically applied according to the Key owner's package. Each Key has an independent quota and is not shared with other Keys in the same account.
Package Comparison Table
| Package | Per Minute | Daily |
|---|---|---|
| Free | 60 | 2,000 |
| Pro | 300 | 50,000 |
| Team | 1,200 | 500,000 |
| Enterprise | 6,000 | Any |
Window Semantics
- minute window · Use epoch minutes as key, and the boundary is automatically reset every minute (not the sliding window starting from the first call)
- daily (day window) · Use UTC date as key, automatically reset at 00:00 UTC every day
When the Limit Is Reached
HTTP/1.1 429 Too Many Requests
Retry-After: 38
X-RateLimit-Limit: 60
X-RateLimit-Window: minute
Content-Type: application/json
{
"error": "Rate limit exceeded",
"window": "minute",
"limit": 60,
"retryAfterSeconds": 38
}The client should:
- Read the Retry-After Header (number of seconds), delay for the corresponding length of time and then try again
X-RateLimit-WindowTells you which window was hit (minute/day)- Exponential backoff + jitter; don't retry immediately after receiving 429
Need higher throughput? Independent keys are issued for different environments/different integrations, and each key receives a full quota. A Pro user opening 3 Keys equals a total capacity of 900 RPM. This is also the best practice for accident location - when a problem occurs, you only need to look at which Key has abnormal usage.
HTTP Response Code
| Status Code | Meaning | Coping Strategies |
|---|---|---|
200 | Success | — |
202 | Accepted (when execution is started) | Poll the status with the returned executionId |
400 | Invalid request body (JSON/field error) | Fix request; do not retry |
401 | Token is missing/wrong format/revoked/expired/insufficient scope | Recheck Token and scope; do not try again |
403 | Token owner account has been deactivated/locked | Contact your account administrator; do not try again |
404 | Resource does not exist or has no visibility | Check ID/scope; don't retry |
409 | Status conflict (e.g. approval has been decided) | Query the current status again |
429 | Rate Limiting | Retry after complying with Retry-After |
500/502/503 | Server error | Exponential backoff + jitter, retry 3-5 times |
Token missing, expired, revoked, and insufficient scope all return 401 uniformly, without exposing the specific failure reason - this avoids attackers from using trial and error to detect which keys exist/which scopes are enabled. The complete failure reason (reason field) is retained in the audit log and can be checked by the administrator.