Authentication
Every API request requires two headers: an API key for authentication and a tenant ID for authorization.
Required headers
| Header | Description | Example |
|---|---|---|
Authorization | Bearer token with your API key | Bearer live_sk_abc123... |
X-Tenant-ID | UUID identifying your tenant account | 550e8400-e29b-41d4-a716-446655440000 |
curl https://api.korastratum.com/ai/api/v1/ai/agents \
-H "Authorization: Bearer live_sk_abc123..." \
-H "X-Tenant-ID: 550e8400-e29b-41d4-a716-446655440000"
API key formats
Korastratum uses key prefixes to determine the environment automatically:
| Prefix | Environment | Use case |
|---|---|---|
live_ | Production | Real agent decisions with live banking data |
test_ | Sandbox | Development and testing — agents run against mock data |
Never expose production API keys in client-side code. API keys should only be used server-side.
Environments
| Environment | Base URL |
|---|---|
| Production | https://api.korastratum.com/ai/api/v1 |
| Sandbox | https://sandbox.korastratum.com/ai/api/v1 |
The API automatically routes requests to the correct environment based on your API key prefix. A test_ key always hits sandbox, and a live_ key always hits production.
Rate limit headers
Every response includes rate limit information:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed per minute |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the rate limit resets |
When you exceed your rate limit, you'll receive a 429 Too Many Requests response. See Rate Limits for per-tier limits.
Tenant ID
Your tenant ID is a UUID assigned when your account is created. Find it in your dashboard settings. The tenant ID scopes all agent configurations, decisions, and metrics to your account. Each tenant has independent agent mode settings, thresholds, and decision history.
Internal endpoints
The POST /ai/agent-decisions endpoint is used internally by the agent framework to log decisions. It does not require user authentication and is not accessible from external networks. It uses system-level access within the platform.