praisonai deploy run --type api require bearer token authentication by default as of PraisonAI 4.6.34.
The user calls a deployed API with a bearer token; the server rejects unauthenticated requests before the agent runs.
Quick Start
1
Default (auth on)
Start the API server and capture the auto-generated token from stderr:Then make authenticated requests:
2
Bring your own token
Set your own bearer token before starting:Use your token in requests:
3
Disable auth (legacy)
Disable authentication explicitly:
How It Works
Environment Variables
Configuration Examples
APIConfig Reference
TheAPIConfig class in praisonai.deploy.models now defaults to secure settings:
Before vs After 4.6.34
Security Details
Security Features
- Constant-time token comparison using
secrets.compare_digest()prevents timing oracle attacks - Auto-generated tokens are cryptographically secure (32 bytes, URL-safe)
- stderr output only - tokens never appear in HTTP responses or logs
- Localhost binding by default - reduces attack surface
- Unauthenticated health endpoint at
/healthfor monitoring
Token Generation
Common Patterns
cURL Examples
Python Requests
Environment File Setup
Migration from < 4.6.34
I just want my old setup back
I just want my old setup back
Quick fix for existing deployments:
I want to keep auth on but rotate the token
I want to keep auth on but rotate the token
Recommended approach:Store the token securely and update your clients.
I want my server reachable on the LAN
I want my server reachable on the LAN
Secure LAN deployment:Share the token only with trusted clients on your network.
Best Practices
Token Management
Token Management
- Generate strong tokens: Use
openssl rand -base64 32or similar - Rotate tokens regularly: Update
PRAISONAI_API_TOKENand restart - Store securely: Never commit tokens to version control
- Use environment variables: Keep tokens out of configuration files
- Scope tokens appropriately: Different tokens for dev/staging/prod
Network Security
Network Security
- Default localhost binding: Keep
host: 127.0.0.1unless necessary - TLS termination: Front with nginx/cloudflare for HTTPS
- Firewall rules: Restrict port 8080 access to known sources
- VPN access: Use VPN instead of public exposure when possible
Development vs Production
Development vs Production
- Development: Use auto-generated tokens, localhost binding
- Staging: Custom tokens, restricted network access
- Production: Strong tokens, TLS frontend, monitoring
- CI/CD: Separate tokens per environment, secret management
Monitoring and Logging
Monitoring and Logging
- Monitor
/health: Unauthenticated endpoint for status checks - Log 401 responses: Track authentication failures
- Alert on token exposure: Watch for tokens in logs/errors
- Audit token usage: Track which clients use which tokens
Related
Security Best Practices
Overall security guidance for PraisonAI deployments
Agents API Reference
HTTP API endpoints for Agent.launch() servers (different authentication)

