Skip to main content

Documentation Index

Fetch the complete documentation index at: https://evalgate.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Authenticate with the Evalgate API

Create an API key, set your environment variables, and make your first authenticated request to the Evalgate platform in under two minutes.
Every request to the Evalgate platform — whether from the SDK or directly against the REST API — requires an API key. This page explains how to create one, where to put it, and how the SDK picks it up automatically so you don’t have to pass it on every call.

Create an API key

API keys are created from the Developer Dashboard. You need an Evalgate account before you begin.
1

Open the Developer Dashboard

Sign in to your Evalgate account and navigate to the Developer Dashboard. Scroll down to the API Keys section.
2

Create the key

Click Create API Key. Enter a descriptive name — for example, Development Key or CI Pipeline — so you can identify it later. Select the scopes you need (start with all scopes for initial testing), then click Create Key.
3

Copy the key immediately

Your API key is displayed only once. Copy it and store it in a secure location — a password manager, your CI secrets store, or a local .env file — before closing the dialog.
If you close the dialog without copying the key, you cannot retrieve it. You’ll need to create a new one.
The dialog also shows your Organization ID. Save that value alongside your key — the SDK requires both to identify your account.

Use the API key in HTTP requests

Include your API key as a Bearer token in the Authorization header on every request to the Evalgate API. 
Authorization: Bearer YOUR_API_KEY
The base URL for all API endpoints is https://evalgate.com. A full request looks like this: 
curl https://evalgate.com/api/traces \
  -H "Authorization: Bearer sk_test_your_api_key_here" \
  -H "Content-Type: application/json"

Configure environment variables

Store your credentials as environment variables so neither the SDK nor your code needs to hardcode them.
.env
EVALGATE_API_KEY=sk_test_your_api_key_here
EVALGATE_ORGANIZATION_ID=your_org_id_here
Both variables are required for platform features. You can find both values in the API key creation dialog in the Developer Dashboard.

SDK auto-loading

Both the TypeScript and Python SDKs read EVALGATE_API_KEY and EVALGATE_ORGANIZATION_ID from the environment automatically when you call .init() with no arguments. 
import { AIEvalClient } from '@evalgate/sdk';

// Reads EVALGATE_API_KEY and EVALGATE_ORGANIZATION_ID automatically
const client = AIEvalClient.init();
If you need to pass credentials explicitly — for example, when loading them from a secrets manager at runtime — pass them directly to the constructor: 
const client = new AIEvalClient({
  apiKey: process.env.EVALGATE_API_KEY,
  organizationId: parseInt(process.env.EVALGATE_ORGANIZATION_ID!),
});

Authentication errors

If a request fails with a 401 Unauthorized response, the API key is either missing, incorrect, or has been revoked. Check the following:
  • The Authorization header is present and formatted as Bearer YOUR_API_KEY.
  • The key was copied in full — keys starting with sk_ are case-sensitive.
  • The key has not been deleted from the Developer Dashboard.
  • The scopes on the key include the operation you’re attempting.

Security best practices

Treat your API key like a password. Anyone who has it can make requests on behalf of your organization.
Follow these practices to keep your credentials secure: Never commit keys to version control. Add .env to your .gitignore file before creating it: 
echo ".env" >> .gitignore
Use CI secret stores for CI pipelines. In GitHub Actions, store the key as a repository secret and reference it in your workflow: 
env:
  EVALGATE_API_KEY: ${{ secrets.EVALGATE_API_KEY }}
  EVALGATE_ORGANIZATION_ID: ${{ secrets.EVALGATE_ORGANIZATION_ID }}
Create separate keys per environment. Use one key for local development, a separate key for staging, and another for production. This limits the blast radius if a key is exposed and makes it easy to rotate individual environments. Rotate keys when team members leave. Revoke keys for former team members immediately from the Developer Dashboard and issue new keys to active users.

Rate limits

All API keys are subject to rate limits. If your integration receives 429 Too Many Requests responses, you are exceeding the allowed request rate for your plan. See the rate limits reference for per-plan limits and guidance on handling backoff.