API Keys & Trace Routing
API keys authenticate your system when sending traces to Mibo. You need at least one to use passive testing.
Each project can have multiple API keys. Keys can be unrestricted (access all agents in the project) or scoped to specific agents.
Creating an API key
Section titled “Creating an API key”-
Open your project
Go to the project you want to create a key for.
-
Go to API Keys
Click API Keys in the project navigation.
-
Create a new key
Click Create API Key. Give it a descriptive name, for example, “Production Traces” or “n8n Integration.”
-
Scope the key (recommended)
By default, a key has access to all agents in your project. Scoping it to a single agent removes the need to specify
platformIdon every trace request. A scoped key can only send traces to the agents you choose. -
Copy the key
The full key is shown only once at creation. Copy it and store it securely. You won’t be able to see it again.
Key format
Section titled “Key format”API keys follow this format: mibo_<random-string>. When listed in the dashboard, keys are masked as mibo_...xxxx (only the last 4 characters are visible).
Using API keys
Section titled “Using API keys”Include the key in the x-api-key header when making requests:
curl -X POST "https://api.mibo-ai.com/public/traces" \ -H "Content-Type: application/json" \ -H "x-api-key: mibo_your_key_here" \ -H "x-request-id: chat-001" \ -d '{ "spans": [{ "span_id": "s-1", "name": "Agent", "attributes": { "gen_ai.response.text": "..." } }] }'Agent scoping and routing
Section titled “Agent scoping and routing”When a trace arrives, Mibo decides which agent to route it to using this rule (same for OTLP and Your API):
- If the API key is scoped to a single agent, that agent is used automatically. No extra fields needed.
- Otherwise, the request must carry an explicit target:
- Your API →
platformIdat the top level, ormetadata.mibo.platform_id. - OTLP →
mibo.platform_idset as a resource attribute (e.g.OTEL_RESOURCE_ATTRIBUTES=mibo.platform_id=<uuid>).
- Your API →
- If neither resolves, the request returns
400with a hint.
The rule is uniform across paths intentionally: same surface, same resolution, no per-agent escape hatches.
Revoking a key
Section titled “Revoking a key”Click the revoke button next to any key to permanently delete it. Revoked keys stop working immediately, and any system using that key will start getting authentication errors.
Best practices
Section titled “Best practices”- Name your keys descriptively: use names like “Production n8n” or “Staging Traces” so you know what each key is for.
- Scope keys to one agent. It eliminates the per-request agent field and limits blast radius if the key is compromised.
- Don’t share keys across environments. Create separate keys for staging and production.
- Monitor last used dates. If a key hasn’t been used in a while, consider revoking it.
What’s next
Section titled “What’s next”With your API key configured, your system can start sending traces.