The Runtype API uses API keys for authentication. Include your API key in the Authorization header of every request.
Keep your API keys secure. Never expose them in client-side code or commit them to version control.
Include the API key in the Authorization header with the Bearer scheme:
API keys can be scoped to specific permissions. Common scopes include:
When you create or edit a key on the dashboard’s API Keys page (see Managing API keys), you’ll see the complete list of available scopes along with pre-built permission groups for common use cases.
An AI agent can obtain a scoped Runtype API key on its own, without a human creating one first, and later bind that key to a real user. This follows the auth.md anonymous-start pattern, so agents that understand the standard can discover and complete the flow automatically.
An agent finds the flow in two ways:
WWW-Authenticate header on 401 responses points to the discovery document.agent_auth block in GET /.well-known/oauth-authorization-server describes the endpoints, and runtype.com/auth.md documents them in prose.POST /agent/auth returns a pre-claim API key plus a claim token. No human is involved.
The pre-claim key is an rt_* key that expires after 24 hours. It grants broad platform access for building and running — dispatch, flows, agents, records, reading and executing tools, and products — but excludes sensitive and destructive operations: no secrets, API keys, integrations, schedules, webhooks, messaging, or A2A scopes, and no delete permissions.
To upgrade the key to full access, claim it against a real email address:
This emails a one-time code to the address. Complete the claim with that code:
On success, Runtype revokes the pre-claim key and issues a fresh, full-access key bound to the user. Issuing a new key rather than upgrading in place prevents any copy of the old key from silently gaining full privileges.
One-time codes expire after 10 minutes. After 5 failed attempts the claim locks out and the pre-claim key is revoked. Registration is rate-limited to 5 attempts per hour per IP.
Execution limits are based on your plan tier. The Build tier includes 50 full-speed executions per day, after which slow mode activates. Paid plans have higher burst limits and monthly execution pools.
For full details on plan-specific limits, see Rate limits and usage.
Rate limit and quota headers are included in responses:
Store API keys in environment variables, not in code:
Create API keys with only the permissions they need. A key that only reads data shouldn’t have write permissions.
Regenerate API keys periodically and update them in your applications.
Check the API Keys section in your dashboard to monitor usage and detect unusual activity.