3 Auth Domains

Authentication

DRD uses three authentication domains: dashboard auth (Clerk), API keys for server-to-server, and Ed25519 JWT tokens for the SDK.

Domain 1

Dashboard Authentication (Clerk)

Dashboard users authenticate via Clerk, supporting email/password, GitHub OAuth, and Google OAuth. Sessions are managed automatically.

Email + Password

Standard credential-based auth

GitHub OAuth

One-click sign-in via GitHub

Google OAuth

One-click sign-in via Google

SSO/SAML

Enterprise plan only

Domain 2

API Keys

API keys are used for server-to-server API calls. Keys are created in the dashboard and follow this format:

key-format.txt

drd_live_sk_a1b2c3...   # Live key
drd_test_sk_x9y8z7...   # Test key

Key Security

Full key shown only once at creation — copy and store securely

Keys stored as SHA-256 hash + 6-character prefix for lookup

Keys can be scoped to specific workspaces and permissions

Keys can be rotated or revoked instantly from the dashboard

Using API Keys

terminal

# Pass in Authorization header
curl -H "Authorization: Bearer drd_live_sk_a1b2c3..." \
  https://api.drd.io/api/v1/agents

Domain 3

SDK Tokens (Ed25519 JWT)

For high-frequency SDK operations (like guard()), API keys are exchanged for short-lived JWT tokens signed with Ed25519. These tokens expire after 15 minutes and are automatically refreshed.

token-exchange.ts

// Token exchange (handled automatically by the SDK)
POST /api/v1/tokens
Authorization: Bearer drd_live_sk_...

// Response
{
  "token": "eyJhbGciOiJFZDI1NTE5...",
  "expiresAt": "2026-02-09T12:15:00Z"
}

API Key Types

DRD issues two types of API keys, each scoped to a different level of access.

Workspace Keys

drd_ws_...

Full access to all resources within a workspace. Used for server-side integrations, CI/CD pipelines, and admin operations.

Keep these keys server-side only. Never expose in client code.

Agent Keys

drd_ag_...

Scoped to a single agent. Can only access that agent's data, submit events, and evaluate policies against that agent.

Recommended for production agent deployments.

Creating API Keys

API keys are created and managed in the DRD dashboard or via the API.

Via the Dashboard

Navigate to your workspace in the DRD dashboard

Go to Settings, then API Keys

Click 'Create API Key'

Choose the key type (Workspace or Agent)

Select the scopes you need

Copy the key immediately -- it is only shown once

Via the API

create-key.ts

const key = await drd.apiKeys.create({
  name: "Production Agent Key",
  type: "agent",
  agentId: "01956abc-def0-...",
  scopes: ["guard:evaluate", "events:write", "agents:read"],
  expiresAt: "2026-12-31T23:59:59Z", // Optional expiration
});

// IMPORTANT: The key value is returned exactly once
console.log("Key:", key.apiKey); // drd_ag_sk_1a2b3c4d...

Permission Scopes

API keys can be scoped to specific permissions. Use the minimum scopes required for your integration.

Scope	Description	Key Types
agents:read	List and view agents	Workspace, Agent
agents:write	Create, update, delete agents	Workspace
policies:read	List and view policies	Workspace, Agent
policies:write	Create, update, delete policies	Workspace
guard:evaluate	Evaluate actions against policies	Workspace, Agent
events:read	List and query events	Workspace, Agent
events:write	Ingest events to the audit trail	Workspace, Agent
content:read	List and view content	Workspace
content:write	Register content and submit takedowns	Workspace
content:scan	Scan content for infringement	Workspace
enforcement:read	List enforcement actions	Workspace, Agent
enforcement:write	Create enforcements and submit appeals	Workspace
webhooks:read	List and view webhooks	Workspace
webhooks:write	Create, update, delete webhooks	Workspace

JWT Authentication for Agents

For high-frequency, low-latency operations (like the guard endpoint), agents can authenticate with short-lived JWT tokens signed with Ed25519. This avoids the overhead of API key validation on every request.

How It Works

Your server requests a short-lived SDK token using your API key

The platform issues a JWT signed with Ed25519 (15-minute TTL)

Your agent uses the JWT for guard and event endpoints

When the token expires, request a new one

jwt-token.ts

// Step 1: Issue a token (server-side, using your API key)
const { token, expiresIn } = await drd.tokens.issue();
// token:     "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."
// expiresIn: 900 (seconds = 15 minutes)

// Step 2: Use the token for guard calls (agent-side)
const decision = await fetch("https://api.drd.io/v1/guard", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${token}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    action: "send_email",
    context: { target: "user@example.com" },
    agentId: "01956abc-...",
  }),
}).then(r => r.json());

Token Details

Algorithm: EdDSA (Ed25519)
TTL: 15 minutes (non-renewable)
Claims: workspaceId, agentId, scopes, iat, exp
Verification: Public key available at /.well-known/jwks.json

OAuth2 for Third-Party Integrations

Third-party applications can integrate with DRD using the OAuth2 Authorization Code flow. This allows users to grant scoped access to their DRD workspace without sharing API keys.

Step 1: Authorization Request

oauth-redirect

https://auth.drd.io/authorize?
  client_id=your_client_id&
  redirect_uri=https://your-app.com/callback&
  response_type=code&
  scope=agents:read policies:read guard:evaluate&
  state=random_csrf_token

Step 2: Exchange Code for Token

token-exchange.ts

const response = await fetch("https://auth.drd.io/token", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    grant_type: "authorization_code",
    client_id: "your_client_id",
    client_secret: "your_client_secret",
    code: "auth_code_from_callback",
    redirect_uri: "https://your-app.com/callback",
  }),
});

const { access_token, refresh_token, expires_in, scope } = await response.json();
// access_token:  "drd_oauth_at_..."  (1 hour TTL)
// refresh_token: "drd_oauth_rt_..."  (30 day TTL)

Step 3: Use the Access Token

oauth-api-call.ts

const agents = await fetch("https://api.drd.io/v1/agents", {
  headers: {
    "Authorization": "Bearer drd_oauth_at_...",
    "Content-Type": "application/json",
  },
}).then(r => r.json());

Security Best Practices

Rotate Keys Regularly

Rotate API keys every 90 days. Use the POST /api-keys/:id/rotate endpoint for zero-downtime rotation.

Use Scoped Keys

Always use the minimum scopes required. For agent deployments, use agent keys (drd_ag_...) instead of workspace keys.

Never Expose Keys in Client Code

API keys must never appear in browser JavaScript or mobile apps. Use a server-side proxy or OAuth2 for client-facing apps.

Use Environment Variables

Store API keys in environment variables or a secrets manager (AWS Secrets Manager, Vault, Doppler). Never commit keys to source control.

Set Key Expiration

When creating API keys, set an expiration date. Expired keys are automatically revoked. For long-running services, use key rotation.

Quick Reference

Method	Header Format	Use Case
API Key	Bearer drd_ws_... / drd_ag_...	Server-side integrations, admin operations
JWT (Ed25519)	Bearer eyJhbGci...	High-frequency guard calls, agent operations
OAuth2 Token	Bearer drd_oauth_at_...	Third-party app integrations

Next Steps

Getting Started

Create your first API key and get set up

Learn more →

SDK Guide

SDK handles token exchange automatically

Learn more →

API Reference

Auth requirements per endpoint

Learn more →

Compliance

Regulatory compliance for authentication flows

Learn more →

3 Auth Domains

Authentication

DRD uses three authentication domains: dashboard auth (Clerk), API keys for server-to-server, and Ed25519 JWT tokens for the SDK.

Domain 1

Dashboard Authentication (Clerk)

Dashboard users authenticate via Clerk, supporting email/password, GitHub OAuth, and Google OAuth. Sessions are managed automatically.

Email + Password

Standard credential-based auth

GitHub OAuth

One-click sign-in via GitHub

Google OAuth

One-click sign-in via Google

SSO/SAML

Enterprise plan only

Domain 2

API Keys

API keys are used for server-to-server API calls. Keys are created in the dashboard and follow this format:

key-format.txt

drd_live_sk_a1b2c3...   # Live key
drd_test_sk_x9y8z7...   # Test key

Key Security

Full key shown only once at creation — copy and store securely

Keys stored as SHA-256 hash + 6-character prefix for lookup

Keys can be scoped to specific workspaces and permissions

Keys can be rotated or revoked instantly from the dashboard

Using API Keys

terminal

# Pass in Authorization header
curl -H "Authorization: Bearer drd_live_sk_a1b2c3..." \
  https://api.drd.io/api/v1/agents

Domain 3

SDK Tokens (Ed25519 JWT)

For high-frequency SDK operations (like guard()), API keys are exchanged for short-lived JWT tokens signed with Ed25519. These tokens expire after 15 minutes and are automatically refreshed.

token-exchange.ts

// Token exchange (handled automatically by the SDK)
POST /api/v1/tokens
Authorization: Bearer drd_live_sk_...

// Response
{
  "token": "eyJhbGciOiJFZDI1NTE5...",
  "expiresAt": "2026-02-09T12:15:00Z"
}

API Key Types

DRD issues two types of API keys, each scoped to a different level of access.

Workspace Keys

drd_ws_...

Full access to all resources within a workspace. Used for server-side integrations, CI/CD pipelines, and admin operations.

Keep these keys server-side only. Never expose in client code.

Agent Keys

drd_ag_...

Scoped to a single agent. Can only access that agent's data, submit events, and evaluate policies against that agent.

Recommended for production agent deployments.

Creating API Keys

API keys are created and managed in the DRD dashboard or via the API.

Via the Dashboard

Navigate to your workspace in the DRD dashboard

Go to Settings, then API Keys

Click 'Create API Key'

Choose the key type (Workspace or Agent)

Select the scopes you need

Copy the key immediately -- it is only shown once

Via the API

create-key.ts

const key = await drd.apiKeys.create({
  name: "Production Agent Key",
  type: "agent",
  agentId: "01956abc-def0-...",
  scopes: ["guard:evaluate", "events:write", "agents:read"],
  expiresAt: "2026-12-31T23:59:59Z", // Optional expiration
});

// IMPORTANT: The key value is returned exactly once
console.log("Key:", key.apiKey); // drd_ag_sk_1a2b3c4d...

Permission Scopes

API keys can be scoped to specific permissions. Use the minimum scopes required for your integration.

Scope	Description	Key Types
agents:read	List and view agents	Workspace, Agent
agents:write	Create, update, delete agents	Workspace
policies:read	List and view policies	Workspace, Agent
policies:write	Create, update, delete policies	Workspace
guard:evaluate	Evaluate actions against policies	Workspace, Agent
events:read	List and query events	Workspace, Agent
events:write	Ingest events to the audit trail	Workspace, Agent
content:read	List and view content	Workspace
content:write	Register content and submit takedowns	Workspace
content:scan	Scan content for infringement	Workspace
enforcement:read	List enforcement actions	Workspace, Agent
enforcement:write	Create enforcements and submit appeals	Workspace
webhooks:read	List and view webhooks	Workspace
webhooks:write	Create, update, delete webhooks	Workspace

JWT Authentication for Agents

How It Works

Your server requests a short-lived SDK token using your API key

The platform issues a JWT signed with Ed25519 (15-minute TTL)

Your agent uses the JWT for guard and event endpoints

When the token expires, request a new one

jwt-token.ts

// Step 1: Issue a token (server-side, using your API key)
const { token, expiresIn } = await drd.tokens.issue();
// token:     "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."
// expiresIn: 900 (seconds = 15 minutes)

// Step 2: Use the token for guard calls (agent-side)
const decision = await fetch("https://api.drd.io/v1/guard", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${token}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    action: "send_email",
    context: { target: "user@example.com" },
    agentId: "01956abc-...",
  }),
}).then(r => r.json());

Token Details

Algorithm: EdDSA (Ed25519)
TTL: 15 minutes (non-renewable)
Claims: workspaceId, agentId, scopes, iat, exp
Verification: Public key available at /.well-known/jwks.json

OAuth2 for Third-Party Integrations

Third-party applications can integrate with DRD using the OAuth2 Authorization Code flow. This allows users to grant scoped access to their DRD workspace without sharing API keys.

Step 1: Authorization Request

oauth-redirect

https://auth.drd.io/authorize?
  client_id=your_client_id&
  redirect_uri=https://your-app.com/callback&
  response_type=code&
  scope=agents:read policies:read guard:evaluate&
  state=random_csrf_token

Step 2: Exchange Code for Token

token-exchange.ts

const response = await fetch("https://auth.drd.io/token", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    grant_type: "authorization_code",
    client_id: "your_client_id",
    client_secret: "your_client_secret",
    code: "auth_code_from_callback",
    redirect_uri: "https://your-app.com/callback",
  }),
});

const { access_token, refresh_token, expires_in, scope } = await response.json();
// access_token:  "drd_oauth_at_..."  (1 hour TTL)
// refresh_token: "drd_oauth_rt_..."  (30 day TTL)

Step 3: Use the Access Token

oauth-api-call.ts

const agents = await fetch("https://api.drd.io/v1/agents", {
  headers: {
    "Authorization": "Bearer drd_oauth_at_...",
    "Content-Type": "application/json",
  },
}).then(r => r.json());

Security Best Practices

Rotate Keys Regularly

Rotate API keys every 90 days. Use the POST /api-keys/:id/rotate endpoint for zero-downtime rotation.

Use Scoped Keys

Always use the minimum scopes required. For agent deployments, use agent keys (drd_ag_...) instead of workspace keys.

Never Expose Keys in Client Code

API keys must never appear in browser JavaScript or mobile apps. Use a server-side proxy or OAuth2 for client-facing apps.

Use Environment Variables

Store API keys in environment variables or a secrets manager (AWS Secrets Manager, Vault, Doppler). Never commit keys to source control.

Set Key Expiration

When creating API keys, set an expiration date. Expired keys are automatically revoked. For long-running services, use key rotation.

Quick Reference

Method	Header Format	Use Case
API Key	Bearer drd_ws_... / drd_ag_...	Server-side integrations, admin operations
JWT (Ed25519)	Bearer eyJhbGci...	High-frequency guard calls, agent operations
OAuth2 Token	Bearer drd_oauth_at_...	Third-party app integrations

Next Steps

Getting Started

Create your first API key and get set up

Learn more →

SDK Guide

SDK handles token exchange automatically

Learn more →

API Reference

Auth requirements per endpoint

Learn more →

Compliance

Regulatory compliance for authentication flows

Learn more →