Skip to main content
Two surfaces authenticate against Amps. Your application authenticates to the Amps API with an API key. Your end users connect their devices through the Auth Journey, a hosted flow that collects OEM credentials and registers devices against your account.

API keys

Every API request carries an API key in the x-api-key header. Each key is validated on every request; metadata stored on the key drives environment routing and customer scoping. 
curl https://api.amps.ai/battery \
  -H "x-api-key: sk_test_xxxxxxxxxxxxxxxxxxxxxxxx"
Both raw and Bearer-prefixed forms are accepted: 
-H "Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxxxxxx"
Each key carries a customerId and environment baked into its metadata at creation time. Environment is one of sandbox or live, fixed at issuance. A sandbox key never accesses live data, a live key never accesses sandbox data, and the environment cannot be overridden via request parameters. The split is absolute.
PrefixEnvironment
sk_test_*Sandbox
sk_live_*Live
Manage keys from the dashboard. The public API does not expose key creation or revocation.

Authentication errors

CodeHTTPMeaning
UNAUTHORIZED401No API key in the request.
INVALID_API_KEY401Key is unrecognised, malformed, revoked, or soft-deleted.
EXPIRED_TOKEN401Key has passed its expiry.
RATE_LIMIT_EXCEEDED401Key has exceeded its rate ceiling.
INSUFFICIENT_PERMISSIONS403Key lacks the permission for the requested operation.
LIVE_ACCESS_DISABLED403Live key used by a customer not enabled for live access.
A revoked key is soft-deleted: subsequent requests return 401 with the revocation message in error.message, the audit trail persists, and the key body never executes again. See the error envelope for the full response shape.

Sandbox

SandboxLive
DevicesSimulated, deterministicReal OEM hardware
CredentialsNone requiredReal OEM credentials per user
AllowancesUnlimitedPer-OEM and global caps apply
UseBuild, test, demoCustomer traffic
Sandbox runs the whole stack against simulated devices, on the same code paths live uses. Build the integration, ship to staging, run a full test pass, all without touching a real OEM credential. The first OEM credential the customer’s end users hand over should be after the integration is finished, not during. Sandbox is on by default for every new account. Simulated devices return deterministic data with realistic timing and the same response shapes as live. No OEM credentials are needed. Every code path the live environment uses runs in sandbox too: the same auth guards, the same cache, the same async write path, the same webhook delivery. The only divergence is at the OEM-call layer. Sandbox access needs no enablement flag. A live API key against a customer not yet enabled for live returns 403 LIVE_ACCESS_DISABLED. Sandbox keys skip that check. Sandbox shows every device the platform supports. Live shows the OEMs your Customer App is configured for, filtered to the tiers you are entitled to. See capabilities for the availability tier model.

Sandbox device behaviour

Sandbox devices return deterministic data driven by UTC time-of-day, so the same call at the same wall-clock instant returns the same shape across runs. Useful when you’re writing fixtures or asserting against expected values.
Device typeMorning (06-09 UTC)Midday (09-15 UTC)Evening (15-21 UTC)Night (21-06 UTC)
VehiclesPlugged in, 80-95%Unplugged, level decreasingMay plug in for overnightPlugged in, charging
BatteriesDischarging for morning loadCharging from solarDischarging for peak usageIdle or slow charging
Solar invertersRamping upPeak productionDecliningNo production
HVAC and EV charger sandbox behaviour follows the device type’s typical residential pattern; see the cookbook for a worked example.

Live access

Live access requires explicit enablement on your account. Until that flag is set, every live API key returns 403. Once enabled, live keys access live data and reach real OEM hardware. 
Sandbox key: skip live check. Pass.
Live key:    check live-enabled. Pass or 403.
This is the boundary between development and production. A sandbox key is safe to embed during integration; pushing one to production is harmless because it cannot reach live data. A live key only operates after a deliberate enablement step.

Environment isolation

Sandbox and live data are stored in fully isolated schemas. Customer accounts are shared across the two; devices, credentials, actions, and schedules are not. Queries route to the correct schema based on the environment your API key carries.

Device access control

Beyond the API key check, every device-scoped request verifies the device belongs to your account in the request’s environment.
CodeHTTPTrigger
DEVICE_NOT_FOUND404Device does not exist, or exists but is not linked to your account in this environment.
The 404 is deliberate. Returning 403 would leak the existence of devices belonging to other customers. Either you can see it, or it does not exist as far as you are concerned.

The Auth Journey

End users connect their OEM accounts through the Auth Journey, a hosted flow you embed in your app via a Plaid Link-style hand-off. You pass appId and a userId (your own end-user identifier) to the URL, the journey walks the user through device connection, and redirects back to your redirectUrl on success. The step sequence: device type selection, OEM selection (filtered by your Customer App’s supported OEMs), auth method choice (where the OEM offers more than one), credential or API-key entry, MFA verification (if the OEM requires it), device selection, consent collection, success and redirect. Browser back navigation is disabled after the credentials step. Once credentials are in flight to the OEM, allowing back would leave the session inconsistent. Credentials never touch browser storage; they live only in component state. Short-lived signed tokens carry context between steps and prevent tampering. When credentials expire (OEM revokes a session, the user changes their password), Amps emits device.disconnected with a reconnectionUrl. The user follows it, the journey runs in reconnection mode skipping device-type, OEM, and device selection, the credential record refreshes, and device.reconnected fires. See webhooks. Each Customer App declares redirectUrl, reconnectRedirectUrl, logoUrl, appName, and a list of supported OEMs. Manage Customer Apps from the dashboard.

Device lifecycle

Once a user begins, every device follows the same lifecycle:
1

Connection

The user picks an OEM and authenticates through the hosted journey.
2

Registration

Amps discovers and registers devices on your account. device.connected fires.
3

Access

The device is queryable via GET /{deviceType}/{deviceId} and accepts pushes.
4

Monitoring

Connection-status changes surface as device.disconnected and device.reconnected webhooks.

Device allowances

Every account has two caps:
CapScope
GlobalTotal devices across all OEMs.
Per-OEMDevices per manufacturer.
Devices that exceed an allowance are flagged as overage and access is restricted. Overage is preferable to hard-rejecting at registration time: it lets trial flows continue without losing data, and lowering an allowance never silently deletes devices.

Public routes

A small number of routes are public and bypass authentication. The OpenAPI spec at /openapi.json and a few health endpoints fall in this category. The full list is in the API reference; everything else requires a valid key.

Frequently asked questions

How do sandbox and live environments differ?

The same code paths, the same cache rules, the same response shapes. Sandbox uses simulated devices that return deterministic data with realistic timing; live talks to real OEM hardware. Every code path the live environment exercises is exercised in sandbox: the same auth guards, the same cache layer, the same async write path, the same webhook delivery. The only divergence is at the OEM-call layer. Sandbox keys never reach live data; live keys never reach sandbox data.

What happens if I send a sandbox key to the live host?

Both environments live behind the same host. The split is enforced at the API key, not the host: a key prefixed sk_test_* always routes to sandbox, a key prefixed sk_live_* always routes to live. The environment is fixed at issuance and stamped into the key’s metadata. Callers cannot override it via request parameters. A live key against a customer not yet enabled for live returns 403 LIVE_ACCESS_DISABLED.

How do API keys map to organisations?

Every key carries customerId baked into its metadata at creation time. The customer record is shared across environments; device records and everything below are isolated by environment. Beyond the API key check, every device-scoped request verifies the device belongs to the authenticated customer. A device that exists but is not linked to this customer returns 404, not 403, to avoid leaking the existence of devices owned by other customers.

What is the Auth Journey?

A hosted flow embedded in your application via Plaid Link-style hand-off. End users connect their OEM accounts through it; the journey walks them through device-type selection, OEM selection, credential entry, MFA, device selection, consent, and registration. Credentials never touch browser storage; they exist only in component state. Short-lived signed tokens carry context between steps. On success, the journey redirects back to your redirectUrl and the platform fires a device.connected webhook.

How do device allowances work?

Two caps exist on every customer: a global cap (total devices across all OEMs) and a per-OEM cap. Devices that exceed an allowance are flagged as overage and access is restricted. Overage is preferable to a hard rejection at registration time: it lets trial flows continue without losing data, and reducing an allowance does not silently delete devices. Allowances are managed from the dashboard.

Capabilities

Per-device declaration of supported commands and parameters.

Webhooks

device.connected, device.disconnected, device.reconnected.

Error Envelope

INVALID_API_KEY, LIVE_ACCESS_DISABLED, DEVICE_NOT_FOUND.

Link UI

Embedding the Auth Journey in your app.