Authentication
API key types, how to create them, and how to authenticate requests.
Authentication
The BrowserStack AI Evals API uses HTTP Basic Authentication with project-scoped API keys. All requests must include valid credentials.
API Key Types
Public + Secret Key Pair
The standard credential pair for full read/write access. The public_key is the username and secret_key is the password in Basic auth.
- Read endpoints — require a public + secret key pair.
- Write endpoints (ingestion, creating scores, traces, etc.) — accept both the full key pair and write-only keys.
Write-Only Key
A restricted key for SDK ingestion only. It grants write access to ingestion endpoints but cannot read any data. Use this in production applications where you only need to send traces.
Write-only keys are sent as a Bearer token instead of Basic auth:
curl -H "Authorization: Bearer wk-lf-your-write-only-key" \
https://evals-api.browserstack.com/api/public/ingestion \
-d '{"batch": [...]}'Organization-Level API Keys
Organization-level keys provide access across all projects in an organization. These are managed in the organization settings and follow the same auth format as project keys.
Creating API Keys
- Open your project in the BrowserStack AI Evals dashboard.
- Navigate to Settings → API Keys.
- Click Create API Key and choose the key type.
- Copy the
public_keyandsecret_keyimmediately — the secret is shown only once.
Request Format
Basic Auth (recommended)
Pass credentials using HTTP Basic Auth — most HTTP clients handle this natively:
# cURL -u flag (username:password)
curl https://evals-api.browserstack.com/api/public/traces \
-u "pk-lf-1234567890abcdef:sk-lf-abcdef1234567890"Manual Authorization Header
If your client doesn't support Basic auth shorthand, construct the header manually:
# Encode "public_key:secret_key" in Base64
CREDENTIALS=$(echo -n "pk-lf-1234567890:sk-lf-abcdef" | base64)
curl https://evals-api.browserstack.com/api/public/traces \
-H "Authorization: Basic $CREDENTIALS"Python Example
import httpx
import base64
import os
public_key = os.environ["AISDK_PUBLIC_KEY"]
secret_key = os.environ["AISDK_SECRET_KEY"]
credentials = base64.b64encode(f"{public_key}:{secret_key}".encode()).decode()
headers = {"Authorization": f"Basic {credentials}"}
response = httpx.get(
"https://evals-api.browserstack.com/api/public/traces",
headers=headers,
params={"page": 1, "limit": 10},
)
print(response.json())TypeScript Example
const publicKey = process.env.AISDK_PUBLIC_KEY!;
const secretKey = process.env.AISDK_SECRET_KEY!;
const credentials = Buffer.from(`${publicKey}:${secretKey}`).toString("base64");
const response = await fetch("https://evals-api.browserstack.com/api/public/traces", {
headers: {
Authorization: `Basic ${credentials}`,
},
});
const data = await response.json();Error Responses
| HTTP Status | Cause |
|---|---|
401 Unauthorized | Missing or invalid API key |
403 Forbidden | Key lacks permission for this operation (e.g., write-only key on a read endpoint) |
Example error:
{ "message": "Unauthorized" }Security Best Practices
- Store API keys in environment variables, never in source code.
- Use write-only keys for SDK ingestion in production.
- Rotate keys periodically from the Settings page.
- Restrict key permissions to the minimum required scope.