Authentication & API Keys
How to authenticate to the Meridian Ephemeris API (JWT + API keys) and manage credentials.
Authentication Overview
The Meridian Ephemeris API supports two authentication modes:
- End-user JWT (Supabase) via the standard bearer token header:
Authorization: Bearer <jwt_token>
- API key via the
X-API-Keyheader:
X-API-Key: <api_key>
Creating API Keys
- Sign in to your dashboard
- Navigate to API Keys
- Click "Create API Key"
- Give your key a descriptive name (e.g., "Production", "Development")
- Copy the key immediately—you won't see it again
Best Practices
Keep Keys Secret
- Never commit API keys to version control
- Use environment variables or secrets managers
- Don't expose keys in client-side code
// ✅ Good: Use environment variables
const apiKey = process.env.ASTROMCP_API_KEY;
// ❌ Bad: Hardcoded key
const apiKey = "<secret>";
Use Separate Keys for Environments
Create different keys for development, staging, and production. This allows you to:
- Revoke a compromised key without affecting all environments
- Track usage per environment
- Apply different rate limits if needed
Rotate Keys Regularly
For production systems, consider rotating API keys periodically:
- Create a new key
- Update your application to use the new key
- Verify the new key works
- Revoke the old key
Revoking Keys
To revoke an API key:
- Go to API Keys
- Find the key you want to revoke
- Click "Revoke"
Revoked keys immediately stop working. This action cannot be undone.
Rate Limiting
Rate limits depend on your authentication mode and plan. See Error Codes & Rate Limits.
Security Headers
For additional security, include these headers in your requests:
Authorization: Bearer <jwt_token>
Content-Type: application/json
X-Request-ID: unique-request-id
The X-Request-ID header is optional but helps with debugging and support requests.