The Abigail API uses two authentication methods:
| Method | Used for | Header |
|---|
| API Key | OpenClaw endpoints (/v1/openclaw/*) | X-API-Key |
| Clerk JWT | Developer portal (/api/v1/developer/*) | Authorization: Bearer <token> |
API Key Authentication
All paid endpoints require an API key in the X-API-Key header.
abi_sk_{32_hex_characters}
abi_sk_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
Using your key
curl -H "X-API-Key: abi_sk_your_key_here" \
https://api.abigail.app/v1/openclaw/analyze
import httpx
resp = httpx.post(
"https://api.abigail.app/v1/openclaw/analyze",
headers={"X-API-Key": "abi_sk_your_key_here"},
json={"application_number": "17200011", "office_action_text": "..."}
)
Key lifecycle
- Create a key from Settings > API Keys
- The raw key is shown once — copy it immediately
- Only the SHA-256 hash is stored server-side
- Revoke a key anytime from Settings > API Keys
- Revoked keys are rejected immediately
Security best practices
Never commit API keys to source control. Use environment variables or a secrets manager.
- Store keys in environment variables:
ABIGAIL_API_KEY=abi_sk_...
- Rotate keys periodically
- Use separate keys for development and production
- Revoke keys immediately if compromised
Error responses
Missing key
{
"error": true,
"error_code": "missing_api_key",
"message": "Missing X-API-Key header.",
"agent_suggestion": "This endpoint requires an Abigail API key. The user must create one at https://abigail.app and provide it to you."
}
Invalid key
{
"error": true,
"error_code": "invalid_api_key",
"message": "API key invalid.",
"agent_suggestion": "The API key is invalid. Ask the user to generate a new key at https://abigail.app"
}
Revoked key
{
"error": true,
"error_code": "revoked_api_key",
"message": "API key revoked.",
"agent_suggestion": "The API key is revoked. Ask the user to generate a new key at https://abigail.app"
}
