Skip to main content
By default, all generated webhook URLs and management endpoints are publicly accessible. Anyone with your run URL can view logs, replay events, or post to your webhook endpoints. Setting authKey locks down those routes behind a shared secret that callers must present on every request.
Webhook URLs are public unless you enable authKey, allowedIps, or signature verification. Do not point sensitive production traffic to unsecured endpoints.

Set the auth key in actor input

Add authKey to your actor input. The field is marked isSecret in the input schema, so the Apify UI stores and displays it as a masked value. 
{
  "urlCount": 1,
  "retentionHours": 24,
  "authKey": "your-secret-key-here",
  "maskSensitiveData": true
}
You can also pass the full input as an environment variable for local or Docker runs: 
INPUT='{"urlCount":1,"authKey":"your-secret-key-here"}' npm start

Pass the key on every request

The actor accepts the key in two ways. Use whichever fits your client best. 
curl https://<run-id>.runs.apify.net/logs \
  -H "Authorization: Bearer your-secret-key-here"
Both methods work on all protected endpoints. The query parameter is convenient for quick browser tests; prefer the Authorization header for automated clients.

Which endpoints are protected

When authKey is set, the following management endpoints require authentication:
EndpointPurpose
GET /Dashboard page
GET /infoRuntime info and endpoint discovery
GET /logsQuery captured events
GET /logs/:logIdFetch a single log entry
GET /logs/:logId/payloadRetrieve the stored payload
GET /log-streamLive SSE event stream
POST /replay/:webhookId/:itemIdReplay a captured event
GET /system/metricsSync and operational metrics
/webhook/:id ingest is public by default, but it is also protected once you set authKey. Senders must include the key when posting to your webhook URLs. The two health probe endpoints are never protected regardless of your authKey setting:
EndpointPurpose
GET /healthLiveness probe
GET /readyReadiness probe
This lets container orchestrators and load balancers probe your instance even when all management routes require authentication.

Auth failure response

A missing or invalid key returns a 401 JSON response: 
{
  "error": "Unauthorized",
  "message": "Missing or invalid authentication key"
}

Mask sensitive headers and body fields

Even with authKey enabled, captured events may contain credentials in request headers or body fields. Two input settings help keep those values out of your logs.

maskSensitiveData

When enabled (the default), the actor automatically redacts Authorization, Cookie, Set-Cookie, and similar API key headers before writing the captured event to storage. The header key is retained in the log but the value is replaced with a redacted placeholder. 
{
  "maskSensitiveData": true
}

redactBodyPaths

Use redactBodyPaths to redact specific fields from JSON request bodies. Values are dot-notation paths that must start with body.. 
{
  "redactBodyPaths": [
    "body.token",
    "body.user.password",
    "body.payment.card"
  ]
}
The actor replaces matching field values with a redacted placeholder before storage. The field keys remain visible in the log.

Full example with auth and masking

{
  "urlCount": 1,
  "retentionHours": 48,
  "authKey": "your-secret-key-here",
  "maskSensitiveData": true,
  "redactBodyPaths": [
    "body.token",
    "body.user.password"
  ]
}
Call a protected endpoint using a Bearer token: 
curl https://<run-id>.runs.apify.net/info \
  -H "Authorization: Bearer your-secret-key-here"