Skip to main content
Every request to the Trident REST API is authenticated with HTTP Basic auth. You combine your project’s Public Key and Secret Key into a single credential, Base64-encode it, and pass it in the Authorization header. All endpoints under /api/public/trident/ require this header unless otherwise noted.

Find your API Keys

1

Open the Trident Dashboard

Navigate to app.usetrident.dev and sign in.
2

Go to Project Settings

Click your project name in the top navigation, then select Project Settings.
3

Open the API Keys tab

Select API Keys. You will see your Public Key (safe to share with internal services) and your Secret Key (treat this like a password).

Construct the Authorization header

Combine your keys with a colon separator — publicKey:secretKey — then Base64-encode the result. Set the encoded string as the value of the Authorization: Basic header on every request. Base URL: https://app.usetrident.dev 
# Replace <PUBLIC_KEY> and <SECRET_KEY> with your actual values
CREDENTIALS=$(echo -n "pk_live_abc123:sk_live_xyz789" | base64)

curl -X GET "https://app.usetrident.dev/api/public/trident/agents" \
  -H "Authorization: Basic $CREDENTIALS" \
  -H "Accept: application/json"

Store keys as environment variables

Never hard-code your keys in source files. Use environment variables and load them at runtime:
VariableDescription
TRIDENT_PROJECT_PUBLIC_KEYYour project Public Key (prefix pk_live_…)
TRIDENT_PROJECT_SECRET_KEYYour project Secret Key (prefix sk_live_…)

Common authentication errors

HTTP statusMeaningResolution
401 UnauthorizedMissing or malformed Authorization header, or Base64 encoding is wrongVerify the header format is Basic <base64(pub:secret)>
401 UnauthorizedSecret Key is incorrectDouble-check the key value in Project Settings
403 ForbiddenPublic Key does not match any project, or the project has been deletedVerify the Public Key and ensure the project still exists

Rate limits

The Trident API enforces per-project rate limits on the public-api resource. When you exceed the limit, the API returns 429 Too Many Requests. Implement exponential back-off in your clients and respect the Retry-After header when present. The unauthenticated public demo scan endpoint (POST /api/public/scan) has a separate rate limit of 10 requests per minute per source IP.
Keep your Secret Key private. If it is ever exposed in a log, repository, or error message, rotate it immediately from the API Keys tab in Project Settings. Rotating invalidates the old key instantly.