Skip to content

API Keys & Trace Routing

API keys authenticate your system when sending traces to Mibo. You need at least one to use passive testing.

Each project can have multiple API keys. Keys can be unrestricted (access all agents in the project) or scoped to specific agents.

  1. Open your project

    Go to the project you want to create a key for.

  2. Go to API Keys

    Click API Keys in the project navigation.

  3. Create a new key

    Click Create API Key. Give it a descriptive name, for example, “Production Traces” or “n8n Integration.”

  4. Scope the key (recommended)

    By default, a key has access to all agents in your project. Scoping it to a single agent removes the need to specify platformId on every trace request. A scoped key can only send traces to the agents you choose.

  5. Copy the key

    The full key is shown only once at creation. Copy it and store it securely. You won’t be able to see it again.

API keys follow this format: mibo_<random-string>. When listed in the dashboard, keys are masked as mibo_...xxxx (only the last 4 characters are visible).

Include the key in the x-api-key header when making requests:

Terminal window
curl -X POST "https://api.mibo-ai.com/public/traces" \
-H "Content-Type: application/json" \
-H "x-api-key: mibo_your_key_here" \
-H "x-request-id: chat-001" \
-d '{ "spans": [{ "span_id": "s-1", "name": "Agent", "attributes": { "gen_ai.response.text": "..." } }] }'

When a trace arrives, Mibo decides which agent to route it to using this rule (same for OTLP and Your API):

  1. If the API key is scoped to a single agent, that agent is used automatically. No extra fields needed.
  2. Otherwise, the request must carry an explicit target:
    • Your APIplatformId at the top level, or metadata.mibo.platform_id.
    • OTLPmibo.platform_id set as a resource attribute (e.g. OTEL_RESOURCE_ATTRIBUTES=mibo.platform_id=<uuid>).
  3. If neither resolves, the request returns 400 with a hint.

The rule is uniform across paths intentionally: same surface, same resolution, no per-agent escape hatches.

Click the revoke button next to any key to permanently delete it. Revoked keys stop working immediately, and any system using that key will start getting authentication errors.

  • Name your keys descriptively: use names like “Production n8n” or “Staging Traces” so you know what each key is for.
  • Scope keys to one agent. It eliminates the per-request agent field and limits blast radius if the key is compromised.
  • Don’t share keys across environments. Create separate keys for staging and production.
  • Monitor last used dates. If a key hasn’t been used in a while, consider revoking it.

With your API key configured, your system can start sending traces.