Authentication
Learn how to authenticate with the Lelantos API using API keys, access tokens, or admin tokens.
Lelantos supports three authentication methods. Choose the one that fits your use case.
API Key
The most common method for SDK and REST API usage. API keys are created in the Lelantos Dashboard under API Keys.
All API keys start with the prefix lel_.
Pass the key in the X-API-Key header:
curl https://api.lelantos.ai/sandboxes \
-H "X-API-Key: lel_your_key_here"import { LelantosClient } from "@lelantos-ai/sdk";
const client = new LelantosClient({
apiKey: "lel_your_key_here",
});API keys are hashed with SHA-256 before storage. You will only see the full key once — when it is created. Store it securely (e.g. in environment variables or a secrets manager). Do not commit API keys to source control.
Access Token (Bearer)
Access tokens are used by the Lelantos Dashboard for session-based authentication. They are JWTs signed with HS256.
- Session token: valid for 24 hours
- Refresh token: valid for 30 days, single-use
Pass the token in the Authorization header:
curl https://api.lelantos.ai/sandboxes \
-H "Authorization: Bearer sk_lel_your_token_here"Access tokens start with the prefix sk_lel_.
Access tokens are primarily intended for dashboard sessions. For programmatic access, use an API key instead.
Admin Token
Admin tokens provide access to administrative endpoints such as worker node management and user administration. They are validated via constant-time comparison.
Pass the token in the X-Admin-Token header:
curl https://api.lelantos.ai/admin/users \
-H "X-Admin-Token: your_admin_token_here"Admin tokens grant full administrative access. Never expose them in client-side code, public repositories, or logs. They should only be used in secure server-side environments.
Comparison
| Feature | API Key | Access Token | Admin Token |
|---|---|---|---|
| Header | X-API-Key | Authorization: Bearer | X-Admin-Token |
| Prefix | lel_ | sk_lel_ | None |
| Lifetime | Until revoked | 24h session / 30d refresh | Until rotated |
| Use case | SDK, REST API | Dashboard sessions | Server administration |
| Scope | Team resources | User resources | All resources |
| Storage | SHA-256 hashed | JWT (HS256 signed) | Constant-time comparison |
Rate Limits
All authenticated requests are subject to rate limits to ensure fair usage and platform stability.
| Endpoint Category | Limit |
|---|---|
| General API requests | 100 requests / minute |
| Sandbox creation | 10 requests / minute |
| File operations (upload/download) | 60 requests / minute |
When you exceed a rate limit, the API returns a 429 Too Many Requests response. The Retry-After header indicates how many seconds to wait before retrying.
# Example: rate-limited response
HTTP/1.1 429 Too Many Requests
Retry-After: 12
Content-Type: application/json
{"error": "rate limit exceeded", "retryAfter": 12}If you need higher rate limits for your use case, contact us at support@lelantos.ai.
Best Practices
- Use environment variables — never hardcode API keys in your source code.
- Rotate keys regularly — revoke and recreate keys periodically.
- Use the least privilege — prefer API keys over admin tokens for standard operations.
- Monitor usage — check the Dashboard for unusual activity.
# Recommended: load from environment
export LELANTOS_API_KEY="lel_your_key_here"
curl https://api.lelantos.ai/sandboxes \
-H "X-API-Key: $LELANTOS_API_KEY"