Setup

Auth & API Keys

User authentication and scoped API key management

Overview

The Auth resource handles user authentication (sign up, sign in, sign out) and API key management. Authentication uses email/password with session tokens. API keys provide scoped access for SDK operations.

All auth methods are available on r.auth.

Methods

MethodDescription
signUp(input)Create a new user account.
signIn(input)Sign in with email and password.
getSession(token)Validate a session token and get user info.
signOut(token)Sign out (invalidate session).
createApiKey(input, sessionToken)Create a scoped API key.
signUpAndCreateKey(input, keyInput)One-shot: sign up → create API key → return it.
signInAndCreateKey(credentials, keyInput)One-shot: sign in → create API key → return it.
verifyOtpAndCreateKey(input, keyInput)One-shot: verify OTP → create API key → return it.

Sign up

Create a new user account with email and password.

1const session = await r.auth.signUp({
2  name: 'Alice Johnson',
3  email: 'alice@example.com',
4  password: 'Example-Passw0rd!',
5});
6
7console.log(session.token);        // Session token — store this securely
8console.log(session.user.id);
9console.log(session.user.name);
10console.log(session.user.email);

Input fields:

FieldTypeRequiredDescription
namestringYesDisplay name.
emailstringYesEmail address.
passwordstringYesPassword (12–128 characters with lowercase, uppercase, digit, and symbol).

Returns: AuthSession

1interface AuthSession {
2  token: string;
3  user: {
4    id: string;
5    name: string;
6    email: string;
7    image: string | null;
8  };
9}

Password requirements:

  • 12–128 characters
  • At least one lowercase letter, one uppercase letter, one digit, and one symbol
  • Not a known compromised password (e.g. password123! is rejected)

Failing the policy returns a 400 with code WEAK_PASSWORD.

The session token is returned in the response body. Store it securely — on mobile, use expo-secure-store or the platform keychain. Never store tokens in AsyncStorage or localStorage in production.

Sign in

1const session = await r.auth.signIn({
2  email: 'alice@example.com',
3  password: 'Example-Passw0rd!',
4});
5
6console.log(session.token);
7console.log(session.user.name);

Input fields:

FieldTypeRequiredDescription
emailstringYesEmail address.
passwordstringYesPassword.

Error handling:

1import { AuthenticationError, ValidationError } from '@recursiv/sdk';
2
3try {
4  const session = await r.auth.signIn({
5    email: 'alice@example.com',
6    password: 'wrongpassword',
7  });
8} catch (err) {
9  if (err instanceof AuthenticationError) {
10    // err.code === 'invalid_credentials'
11    console.error('Invalid email or password');
12  }
13}

Get session

Validate a session token and retrieve the associated user. Returns null if the session is invalid or expired.

1const session = await r.auth.getSession(storedToken);
2
3if (session) {
4  console.log(`Logged in as ${session.user.name}`);
5} else {
6  console.log('Session expired — redirect to login');
7}

Sign out

Invalidate a session token.

1await r.auth.signOut(sessionToken);

Create an API key

API keys provide scoped access to the SDK. They are created using a session token (not another API key).

1const apiKey = await r.auth.createApiKey(
2  {
3    name: 'CI/CD Pipeline',
4    scopes: ['projects:read', 'projects:write'],
5  },
6  sessionToken,
7);
8
9console.log(apiKey.key);     // 'sk_live_...' — only shown once!
10console.log(apiKey.id);
11console.log(apiKey.name);
12console.log(apiKey.prefix);  // 'sk_live_abc...' (for identification)
13console.log(apiKey.scopes);

The full API key is only returned once at creation time. Store it immediately in a secure location (environment variable, secrets manager). It cannot be retrieved later.

Input fields:

FieldTypeRequiredDescription
namestringYesA descriptive name for the key.
scopesstring[]YesList of permission scopes.
organizationIdstring?NoScope the key to an organization (mutually exclusive with projectId).
projectIdstring?NoScope the key to a project (mutually exclusive with organizationId).

createApiKey requires a session token (from signIn or signUp), not an API key. This is because creating API keys is a privileged operation that requires active user authentication.

Available scopes

This is the complete list of valid scopes. Anything else (e.g. deploy:create, agents:chat) is rejected with an invalid_scope error. Deployments are covered by projects:write; chatting with agents by agents:write; sandbox execution by projects:write.

ScopeDescription
projects:readRead project details, list projects, view deployments and logs.
projects:writeCreate/delete projects, deploy, execute code, manage sandboxes.
agents:readRead agent details and list agents.
agents:writeCreate, update, and delete agents; chat; grant project access.
posts:readRead posts and feeds.
posts:writeCreate, update, and delete posts.
chat:readRead conversations and messages.
chat:writeSend messages and manage conversations.
communities:readRead community details.
communities:writeCreate and manage communities.
users:readRead user profiles.
users:writeUpdate user profiles, follow/unfollow.
organizations:readRead organization details.
organizations:writeManage organization members and settings.
notifications:readList notifications.
notifications:writeMark notifications read, manage preferences.
settings:readRead user settings.
settings:writeUpdate user settings.
tags:readList and get tags.
tags:writeCreate and delete tags.
uploads:writeUpload files.
wallet:readView wallet balances.
wallet:writeWallet operations.
commands:readRead command results.
commands:writeExecute AI commands.
storage:readRead storage buckets and objects.
storage:writeUpload and delete objects.
databases:readRead database details and credentials.
databases:writeCreate and manage databases.
billing:readRead billing and usage information.
billing:writeManage billing settings.
memory:readRead memory (facts, decisions).
memory:writeWrite memory (add facts, log decisions).
adminPlatform administration (restricted to platform admins).

One-shot onboarding

signUpAndCreateKey collapses sign up + key creation into a single call — the recipe for agents and mobile apps that need to go from nothing to an authenticated client:

1import { Recursiv } from '@recursiv/sdk';
2
3const anon = new Recursiv({ anonymous: true });
4
5const { apiKey, user, session } = await anon.auth.signUpAndCreateKey(
6  { name: 'Bob Builder', email: 'bob@example.com', password: 'Example-Passw0rd!' },
7  { name: 'my-app', scopes: ['projects:read', 'projects:write'] },
8);
9
10const r = new Recursiv({ apiKey });

signInAndCreateKey(credentials, keyInput) does the same for existing users, and verifyOtpAndCreateKey(otpInput, keyInput) for passwordless OTP flows. All three return { apiKey, user, session }.

Full example: sign up, create API key, use it

1import { Recursiv } from '@recursiv/sdk';
2
3// Step 1: Initialize without an API key (for auth only)
4const authClient = new Recursiv({
5  allowNoKey: true, // Auth methods don't need an API key
6});
7
8// Step 2: Sign up
9const session = await authClient.auth.signUp({
10  name: 'Bob Builder',
11  email: 'bob@example.com',
12  password: 'Example-Passw0rd!',
13});
14
15console.log('Signed up as:', session.user.name);
16
17// Step 3: Create an API key using the session token
18const apiKey = await authClient.auth.createApiKey(
19  {
20    name: 'Development',
21    scopes: [
22      'projects:read',
23      'projects:write',
24      'agents:read',
25      'agents:write',
26    ],
27  },
28  session.token,
29);
30
31console.log('API Key created:', apiKey.prefix);
32// Store apiKey.key securely — it's only shown once!
33
34// Step 4: Use the API key for all future SDK operations
35const r = new Recursiv({ apiKey: apiKey.key });
36
37const { data: me } = await r.users.me();
38console.log('Authenticated as:', me.name);

Token storage best practices

PlatformRecommended storage
Node.js / CIEnvironment variable (RECURSIV_API_KEY)
Next.jsServer-side env var. Never expose in client bundles.
React Native / Expoexpo-secure-store for session tokens
iOS nativeKeychain
Android nativeEncryptedSharedPreferences
BrowserHttpOnly cookie (via your backend)

Never store API keys or session tokens in:

  • localStorage or sessionStorage (XSS vulnerable)
  • AsyncStorage (unencrypted on disk)
  • Source code or git repositories
  • Client-side JavaScript bundles