Skip to main content
API servers generated by praisonai deploy run --type api require bearer token authentication by default as of PraisonAI 4.6.34. The user calls a deployed API with a bearer token; the server rejects unauthenticated requests before the agent runs.

Quick Start

1

Default (auth on)

Start the API server and capture the auto-generated token from stderr:
Then make authenticated requests:
2

Bring your own token

Set your own bearer token before starting:
Use your token in requests:
3

Disable auth (legacy)

Not recommended for production. Only use in trusted private networks.
Disable authentication explicitly:

How It Works


Environment Variables

Configuration Examples


APIConfig Reference

The APIConfig class in praisonai.deploy.models now defaults to secure settings:

Before vs After 4.6.34


Security Details

Security Features

  • Constant-time token comparison using secrets.compare_digest() prevents timing oracle attacks
  • Auto-generated tokens are cryptographically secure (32 bytes, URL-safe)
  • stderr output only - tokens never appear in HTTP responses or logs
  • Localhost binding by default - reduces attack surface
  • Unauthenticated health endpoint at /health for monitoring

Token Generation


Common Patterns

cURL Examples

Python Requests

Environment File Setup


Migration from < 4.6.34

Quick fix for existing deployments:
This removes security protections. Only use in trusted environments.
Recommended approach:
Store the token securely and update your clients.
Secure LAN deployment:
Share the token only with trusted clients on your network.

Best Practices

  • Generate strong tokens: Use openssl rand -base64 32 or similar
  • Rotate tokens regularly: Update PRAISONAI_API_TOKEN and restart
  • Store securely: Never commit tokens to version control
  • Use environment variables: Keep tokens out of configuration files
  • Scope tokens appropriately: Different tokens for dev/staging/prod
  • Default localhost binding: Keep host: 127.0.0.1 unless necessary
  • TLS termination: Front with nginx/cloudflare for HTTPS
  • Firewall rules: Restrict port 8080 access to known sources
  • VPN access: Use VPN instead of public exposure when possible
  • Development: Use auto-generated tokens, localhost binding
  • Staging: Custom tokens, restricted network access
  • Production: Strong tokens, TLS frontend, monitoring
  • CI/CD: Separate tokens per environment, secret management
  • Monitor /health: Unauthenticated endpoint for status checks
  • Log 401 responses: Track authentication failures
  • Alert on token exposure: Watch for tokens in logs/errors
  • Audit token usage: Track which clients use which tokens

Security Best Practices

Overall security guidance for PraisonAI deployments

Agents API Reference

HTTP API endpoints for Agent.launch() servers (different authentication)