API Keys & Trace Routing

API keys authenticate your system when sending traces to Mibo. You need at least one to use passive testing.

Each project can have multiple API keys. Keys can be unrestricted (access all platforms in the project) or scoped to specific platforms.

Creating an API key

1. Open your project

   Go to the project you want to create a key for.

2. Go to API Keys

   Click API Keys in the project navigation.

3. Create a new key

   Click Create API Key. Give it a descriptive name, for example, “Production Traces” or “n8n Integration.”

4. Scope the key (optional)

   By default, a key has access to all platforms in your project. If you want to restrict it, select specific platforms. A restricted key can only send traces to the platforms you choose.

5. Copy the key

   The full key is shown only once at creation. Copy it and store it securely. You won’t be able to see it again.

Caution

The full API key is only displayed when you first create it. If you lose it, you’ll need to revoke the key and create a new one.

Key format

API keys follow this format: mibo_<random-string>. When listed in the dashboard, keys are masked as mibo_...xxxx (only the last 4 characters are visible).

Using API keys

Include the key in the x-api-key header when making requests:

curl -X POST "https://api.mibo-ai.com/public/traces" \
  -H "Content-Type: application/json" \
  -H "x-api-key: mibo_your_key_here" \
  -d '{ "data": { "input": "...", "output": "..." } }'

Platform scoping

When you restrict a key to specific platforms:

• Traces sent with that key can only target the allowed platforms.
• If the key is restricted to a single platform, Mibo automatically routes traces to that platform, so you don’t need to include a platformId in every request.
• If the key is restricted to multiple platforms, you must specify which platform each trace belongs to via platformId in the request body, or use metadata (e.g., { "chatflowId": "abc" } for Flowise, { "workflowId": "xyz" } for n8n) so Mibo can resolve it automatically.

Caution

Unrestricted keys require a platformId. If your API key has access to all platforms in the project, you must include platformId in every trace request, or use metadata for automatic resolution. Without either, the request will fail with a 404 error.

An unrestricted key can target any platform in the project, but Mibo needs to know which one each trace is for.

Revoking a key

Click the revoke button next to any key to permanently delete it. Revoked keys stop working immediately, and any system using that key will start getting authentication errors.

Tip

Rotate your API keys regularly. If a key might be compromised, revoke it immediately and create a new one. The dashboard shows the last used date for each key, so you can identify unused keys that should be cleaned up.

Best practices

• Name your keys descriptively: use names like “Production n8n” or “Staging Traces” so you know what each key is for.
• Use restricted keys when possible. Scoping a key to specific platforms limits the blast radius if the key is compromised.
• Don’t share keys across environments. Create separate keys for staging and production.
• Monitor last used dates. If a key hasn’t been used in a while, consider revoking it.

What’s next

With your API key configured, your system can start sending traces. See the Platform Guides for platform-specific trace setup, and the Trace Format Reference for exact data structures.

Trace Format Reference Exact data structures for each platform type.