Authentication
All LYRE API requests are authenticated with Bearer tokens. This page covers key generation, usage, rate limits, and security best practices.
Bearer token authentication
Every request to the LYRE API must include an Authorization header with a valid API key prefixed by Bearer.
Example request
curl https://api.lyre.au/v1/agents \ -H "Authorization: Bearer lyre_sk_live_abc123def456"
Requests without a valid key receive a 401 Unauthorized response.
API key types
LYRE issues two classes of API key. Use the right one for each context.
| Key prefix | Environment | Permissions | Use case |
|---|---|---|---|
| lyre_sk_live_ | Production | Full read/write | Server-side integrations, production agents |
| lyre_sk_test_ | Sandbox | Full read/write (sandbox data) | Development, CI/CD, testing |
Sandbox keys connect to a sandboxed environment. Calls made with test keys are free but limited to 60 seconds and do not connect to real phone numbers.
Generating API keys
Open the dashboard
Navigate to dashboard.lyre.au and sign in.
Go to Settings → API Keys
Click Generate Key. Choose a name (e.g. “production-backend”) and select the environment (live or sandbox).
Copy the key
The full key is shown once. Copy it and store it securely. If lost, revoke and generate a new key.
Rate limits
Rate limits are applied per API key. Exceeding the limit returns 429 Too Many Requests with a Retry-After header.
| Endpoint group | Limit | Window |
|---|---|---|
| Agent CRUD | 100 requests | per minute |
| Call creation | 30 requests | per minute |
| Call list / detail | 200 requests | per minute |
| Provider config | 60 requests | per minute |
| Webhooks | 60 requests | per minute |
Need higher limits? Contact support@lyre.au with your use case.
Rate limit headers
Every API response includes headers to help you track consumption.
X-RateLimit-Limit: 100 X-RateLimit-Remaining: 87 X-RateLimit-Reset: 1712976000
Key rotation
You can have up to 5 active keys per environment. This allows zero-downtime rotation:
- 1.Generate a new key in the dashboard.
- 2.Deploy the new key to your servers.
- 3.Verify traffic is flowing on the new key (check the dashboard Activity tab).
- 4.Revoke the old key.
Security best practices
- •Never expose keys client-side. API keys are server-side secrets. Use the LYRE Web SDK token flow for browser clients — the server mints a short-lived LiveKit token, not the API key itself.
- •Use environment variables. Store keys in
LYRE_API_KEYand reference them from your runtime config. Never hard-code keys in source files. - •Rotate regularly. Rotate production keys at least every 90 days. Set a calendar reminder.
- •Use sandbox keys for development. Test keys (
lyre_sk_test_) prevent accidental production calls during development. - •Audit key usage. The dashboard shows last-used timestamps and request counts for each key. Revoke any key that shows unexpected activity.
- •IP allowlisting (Enterprise). Enterprise plans can restrict keys to specific IP ranges. Contact support to enable.
Authentication error codes
| Status | Code | Meaning |
|---|---|---|
| 401 | auth_missing | No Authorization header provided |
| 401 | auth_invalid | Key is malformed or does not exist |
| 401 | auth_revoked | Key has been revoked |
| 429 | rate_limited | Too many requests, check Retry-After header |
Next: Agent configuration →