Tenant setup guide
How to create tenants, get API keys, and start ingesting events. Two paths: self-service (one API call) or admin-managed (named tenants with scoped keys).
Path 1: Self-service onboard
For agents, scripts, and automated setups — no admin access needed
This is the recommended path for LLMs and agents. One POST creates a tenant and returns an API key. No bootstrap key, no OAuth, no dashboard. The agent is ready to ingest events immediately.
Step 1: Create tenant + get API key
# Self-service onboard — no bootstrap key needed, no admin access
# Creates a tenant + API key in one call
curl -X POST https://api.all-source.xyz/api/v1/onboard/start \
-H "Content-Type: application/json" \
-d '{
"email": "agent@your-company.com",
"name": "My Production App"
}'
# Response:
# {
# "api_key": "eyJhbGciOiJIUzI1NiIs...",
# "tenant_id": "onboard-agent-at-your-company-com",
# "tier": "free",
# "events_quota": 100000,
# "getting_started": { ... }
# }The tenant ID is derived from the email. The API key is a long-lived JWT with developer role — it can read and write events, manage schemas, and create projections. Free tier: 100K events/month.
Step 2: Ingest your first event
# Use the API key from onboard to ingest events immediately
curl -X POST https://api.all-source.xyz/api/v1/events \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"event_type": "user.action",
"entity_id": "user-123",
"payload": { "action": "login", "source": "github" }
}'
# Response: 200 OK with event IDStep 3: Query events back
# Query your events back
curl "https://api.all-source.xyz/api/v1/events/query?\
event_type=user.action&limit=10&sort=desc" \
-H "Authorization: Bearer $API_KEY"
# Response:
# { "events": [...], "count": 10 }That's it. Three curl commands: onboard → ingest → query. No configuration files, no dashboard clicks, no waiting for approval. The API key works immediately.
Path 2: Admin-managed tenants
For production environments where you need named tenants and scoped keys
Use this when you need control over tenant naming, key scoping, and rotation. Requires the bootstrap API key (Fly secret on allsource-core) or OAuth admin access via the Control Plane dashboard.
Step 1: Create a named tenant
# ADMIN ONLY: Create a named tenant (requires bootstrap key)
# Most agents should use /onboard/start instead
curl -X POST https://api.all-source.xyz/api/v1/tenants \
-H "Authorization: Bearer $BOOTSTRAP_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"id": "my-company-prod",
"name": "My Company Production"
}'The bootstrap key is a Fly secret on allsource-core. It has god-mode access to all tenants. Never embed it in application code or agent configs.
Step 2: Mint a scoped API key
# ADMIN ONLY: Mint a scoped API key for a specific tenant
# The resulting key can only access this tenant's events
curl -X POST https://api.all-source.xyz/api/v1/teams/agent-keys \
-H "Authorization: Bearer $ADMIN_JWT" \
-H "Content-Type: application/json" \
-d '{
"name": "prod-agent-readonly",
"role": "readonly"
}'
# Response includes the scoped API key
# Use this key in your agent — never the bootstrap keyScoped keys can only access their own tenant's events. Roles: admin, developer, readonly, serviceaccount. Use the narrowest role that fits — readonly for dashboards, developer for agents that write events.
Step 3: Configure your agent or CLI
# Configure chronis CLI to sync with your tenant
# In your project's .chronis/config.toml:
[sync]
mode = "remote"
remote_url = "https://api.all-source.xyz"
api_key = "eyJhbGciOiJIUzI1NiIs..." # Your scoped API key
# Then sync:
cn syncBest practices
Never use the bootstrap key in application code
The bootstrap key is god-mode. Use it once to create the tenant and mint a scoped key, then store the scoped key in your app. If the bootstrap key leaks, rotate it via `fly secrets set` — your scoped keys keep working.
Use the onboard endpoint for automated setups
If your agent just needs to store and query events, /api/v1/onboard/start is the simplest path. One call, no bootstrap key needed, works immediately. The free tier (100K events/month) is generous enough for most agent workloads.
Scope keys to the narrowest role
Agents that only read events should use a `readonly` key. Agents that write events should use `developer`. Only human operators need `admin`. The RBAC system has 4 roles and 7 permissions — use them.
Rotate keys, don't share them
Each agent or service should have its own API key. If one is compromised, revoke it via the Control Plane dashboard or API without affecting other agents. Keys are cheap — create as many as you need.
Use api.all-source.xyz, not Core directly
The gateway (api.all-source.xyz) handles auth, rate limiting, quotas, and x402 payments. Core is internal-only and trusts any caller on the network. Always route external traffic through the gateway.
Quick reference
| Endpoint | Auth | What it does |
|---|---|---|
| POST /api/v1/onboard/start | None | Self-service: create tenant + API key |
| POST /api/v1/tenants | Bootstrap key | Admin: create named tenant |
| POST /api/v1/teams/agent-keys | Admin JWT | Admin: mint scoped API key |
| POST /api/v1/events | Any API key | Ingest event |
| GET /api/v1/events/query | Any API key | Query events |
| GET /health | None | Health check |
| GET /x402/routes | None | x402 priced route discovery |
Ready to connect?
One API call to onboard. Three commands to go from zero to events.