Skip to main content
Authentication is opt-in. By default, all endpoints (including webhook ingest) are publicly accessible. To protect your instance, set authKey in the Actor input. Once set, the same key is enforced across all management routes and, conditionally, on the webhook ingest endpoint.

Enabling authentication

Pass authKey in your Actor input to activate auth: 
{
  "authKey": "your-shared-secret"
}

Supported methods

Once authKey is configured, you can authenticate with either of the following methods on every protected request.
MethodExample
Bearer token headerAuthorization: Bearer YOUR_KEY
Query parameter?key=YOUR_KEY
curl -H "Authorization: Bearer your-shared-secret" \
  https://<run-id>.runs.apify.net/logs

Protected endpoints

The following endpoints require authentication when authKey is configured:
  • GET /
  • GET /info
  • GET /logs
  • GET /logs/:logId
  • GET /logs/:logId/payload
  • GET /log-stream
  • POST /replay/:webhookId/:itemId
  • GET /system/metrics

Never protected

The health probes are never auth-protected, regardless of whether authKey is set. This allows container orchestrators and load balancers to probe the service without credentials.
  • GET /health
  • GET /ready

Webhook ingest auth

ANY /webhook/:id is public by default. When authKey is configured, webhook ingest uses the same auth validation as management routes. This means every inbound webhook request must include a valid Authorization: Bearer header or ?key= query parameter.
If you secure ingest with authKey, ensure your webhook providers can send the required credential. Not all providers support custom auth headers — check your provider’s webhook configuration options before enabling this.

401 response

When a request is missing a credential or provides an invalid one, the server returns: 
{
  "error": "Unauthorized",
  "message": "Missing or invalid auth key"
}