Authentication
All API requests require authentication. Labelf uses Bearer tokens scoped to a workspace, so every request is tied to a specific team and its permissions. Generate API credentials from your workspace settings in the Labelf dashboard.
Authorization: Bearer lbl_sk_7f3a9b2c...How to Get a Key
Four steps, under a minute:
Open Workspace Settings
In your Labelf dashboard, click the gear icon in the sidebar.
Navigate to API Credentials
Under the workspace settings menu, select API Credentials.
Create API Key
Click Create API Key. Give it a descriptive name (e.g. "CRM Integration Prod").
Copy and Store Securely
Copy the key immediately — it is only shown once. Store it in your secrets manager or environment variables.
Token Types
Labelf supports two authentication mechanisms. Choose based on your integration pattern.
API Key
Static key prefixed with lbl_sk_. Best for server-to-server integrations, batch pipelines, and scripts. No expiry — rotate manually.
-H "Authorization: Bearer lbl_sk_7f3a..."JWT Token
Short-lived JWT tokens issued via OAuth2 client credentials flow (backed by Ory Hydra). Best for micro-service architectures and environments that require token rotation and audit trails.
-H "Authorization: Bearer eyJhbGci..."Workspace Roles
API keys inherit the permissions of the workspace role they are created under. Assign the minimum role needed for each integration.
| Role | Classify | Train Models | Manage Data | Manage Users |
|---|---|---|---|---|
api-user | Yes | — | — | — |
labeler | Yes | — | Label only | — |
viewer | Yes | — | Read only | — |
dashboard_editor | Yes | — | Dashboards | — |
member | Yes | Yes | Yes | — |
admin | Yes | Yes | Yes | Yes |
owner | Yes | Yes | Yes | Yes + Billing |
For production inference pipelines, use the api-user role. It can classify text but cannot modify models, datasets, or workspace settings — the principle of least privilege.
Key Properties
Scoped per workspace
Each key is tied to a workspace and inherits its role-based permissions. One workspace can have multiple keys for different services.
Rotate without downtime
Create a new key before revoking the old one. Both remain active during the transition window. Zero-downtime rotation.
Audit trail
Every API call is logged with the key identity. Track which integration made which request for compliance and debugging.
On-Premise Deployments
For on-premise and private cloud deployments, the entire authentication stack runs within your infrastructure. API keys are issued by your local Labelf instance, tokens never leave your network, and there is no dependency on external identity providers.
Self-contained auth
The on-prem Labelf instance manages its own Hydra instance, user database, and key storage. No outbound auth calls.
SAML / OIDC federation
Integrate with your existing identity provider (Azure AD, Okta, etc.) via SAML 2.0 or OpenID Connect for single sign-on.
Security
Labelf is built for regulated industries — telecom, banking, insurance — where customer data is sensitive and compliance is not optional.
EU data residency
All cloud data is stored and processed within the EU. No data crosses EU borders unless you explicitly configure an on-prem deployment elsewhere.
GDPR compliant
Data processing agreements, right-to-deletion support, and purpose limitation built into the platform. We are the processor; you are the controller.
PII handling
Optional PII anonymization at ingestion. Classify the intent without storing the personal data. Configurable per workspace.
TLS everywhere
All API traffic is encrypted with TLS 1.2+. No plaintext endpoints. Certificate pinning available for on-prem.
Rate limiting
Per-key rate limits prevent abuse and protect shared infrastructure. Limits are configurable for enterprise plans.
On-prem isolation
For maximum control, deploy Labelf entirely within your own infrastructure. Air-gapped deployments supported.
For a complete overview of Labelf's security posture, see the Security page.
Example Request
A simple authenticated request to list your models:
curl -X GET https://api.labelf.ai/v2/models \
-H "Authorization: Bearer $LABELF_API_KEY"Response:
{
"models": [
{
"id": 42,
"name": "Contact Reason - Mobile",
"label_count": 24,
"training_samples": 12847,
"status": "deployed"
},
{
"id": 43,
"name": "Root Cause - Billing",
"label_count": 18,
"training_samples": 8421,
"status": "deployed"
}
]
}
