Skip to main content

API authentication

Every EvalGate API request except GET /api/mcp/tools must include a bearer token. The token identifies the caller, determines which organization the request can access, and enforces the rate limits for your plan.

Add the authorization header

Include your API key in the Authorization header on every request: 
curl https://evalgate.com/api/evaluations \
  -H "Authorization: Bearer YOUR_API_KEY"
Requests without this header, or with an invalid key, receive 401 Unauthorized.

Get your API key

  1. Open the Developer Dashboard.
  2. Go to Settings -> API Keys.
  3. Create a new key.
  4. Copy the API key and the Organization ID shown in the creation dialog.
Treat your API key like a password. Do not commit it to version control. Store it in an environment variable or secret manager and pass it at runtime.

Environment variables

The TypeScript and Python SDKs read these environment variables automatically:
VariableDescription
EVALGATE_API_KEYYour API key, required for authenticated requests
EVALGATE_ORGANIZATION_IDYour organization UUID, used by SDK methods that create org-scoped resources
Set them in your shell or .env file: 
export EVALGATE_API_KEY=sk_test_your_api_key_here
export EVALGATE_ORGANIZATION_ID=00000000-0000-4000-8000-000000000001
Direct REST API routes usually derive organization scope from the API key. Pass organizationId in the body or query only where an endpoint explicitly documents it.

Authentication errors

401 Unauthorized
UNAUTHORIZED
Your request did not include an Authorization header, or the key is invalid, expired, or revoked.
403 Forbidden
FORBIDDEN / NO_ORG_MEMBERSHIP
Your key is valid but lacks the required permissions for this resource. This can mean the key does not have the necessary scopes, or the key does not belong to the organization that owns the requested resource.
Both errors follow the standard error envelope: 
{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Unauthorized",
    "details": null,
    "requestId": "550e8400-e29b-41d4-a716-446655440000"
  }
}

Anonymous endpoint

GET /api/mcp/tools does not require authentication. It returns the list of available MCP tools and their input schemas for any caller. All other MCP endpoints, including POST /api/mcp/call, require a valid bearer token.
If you integrate EvalGate with an AI agent or IDE assistant via MCP, tool discovery is public, but tool execution uses your API key. Configure your MCP client with Authorization: Bearer YOUR_API_KEY for execution requests.