Understanding Deployment Access Keys
The deployment access key is the primary authentication mechanism for Alactic AGI. This guide explains what it is, how it works, and how to manage it.
What is a Deployment Access Key?
The deployment access key is a unique, cryptographically-generated identifier assigned to your Alactic AGI deployment. It serves as the authentication token for all interactions with your instance.
Format: ak- followed by 40 alphanumeric characters
Example: ak-7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2c3b4a5f6e
Key Characteristics:
- Unique per deployment
- Generated during Azure resource creation
- Stored in Azure Key Vault
- Cannot be changed or regenerated
- Required for all frontend and API access
How Access Keys Work
Generation Process
- ARM template deployment begins
- Azure generates unique string based on:
- Resource group ID
- Deployment name
- Timestamp
- Key is hashed and prefixed with
ak- - Stored in Azure Key Vault as
DEPLOYMENT-ACCESS-KEYsecret - Exposed as deployment output
Authentication Flow
- User enters key in access gate interface
- Browser stores key in localStorage
- Frontend sends key in HTTP headers with every API request
- Backend validates key against Key Vault value
- Request is authorized or rejected
Storage Locations
Your deployment key exists in three places:
Azure Key Vault (Source of Truth)
- Location: Key Vault resource in your resource group
- Secret name:
DEPLOYMENT-ACCESS-KEY - Access: Via Managed Identity or Azure CLI
- Viewable in Azure Portal under "Secrets"
VM Environment (Runtime)
- Location: Application
.envfile on VM - Variable:
DEPLOYMENT_ACCESS_KEY=ak-xxxxx - Used by backend for validation
- File permissions: 600 (owner read/write only)
Browser localStorage (Client)
- Key:
alactic_deployment_key - Value:
ak-xxxxx - Scope: Per-domain
- Persists across browser sessions
- Cleared when logging out
Finding Your Deployment Access Key
Method 1: Deployment Outputs (Easiest)
Immediately after deployment:
- Go to Azure Portal
- Navigate to "Deployments" in your resource group
- Click on the Alactic AGI deployment
- Click "Outputs" tab
- Copy
deploymentAccessKeyvalue
Note: Outputs remain available indefinitely, so you can retrieve the key anytime.
Method 2: Azure Key Vault (Recommended for Production)
- Go to Azure Portal
- Navigate to your resource group
- Open the Key Vault resource (name:
<prefix>-kv-<suffix>) - Click "Secrets" in left menu
- Click on
DEPLOYMENT-ACCESS-KEY - Click "Show Secret Value"
- Copy the displayed value
Requires Permissions: You need "Key Vault Secrets User" or "Key Vault Administrator" role.
Method 3: Settings Page in Application
If you've already logged in:
- Access your Alactic AGI instance
- Click Settings icon (gear) in top right
- Scroll to "Deployment Information" section
- Key is displayed (partially masked)
- Click "Copy" to copy full key
Note: You must be authenticated to access Settings page.
Method 4: SSH to VM (Advanced)
SSH into the VM and read the environment file:
ssh -i your-key.pem your-user@your-vm-fqdn
cat ~/.env | grep DEPLOYMENT_ACCESS_KEY
Requires: SSH key for VM access
Viewing Key in Dashboard
Once authenticated, your deployment key is visible in the Settings page.
Location in Interface
- Log in to Alactic AGI
- Click the Settings icon (⚙️) in the top-right corner
- Scroll to Deployment Information card
What You See
Deployment Access Key
ak-7f8e9d0c••••••••••••••••••••••••••5f6e
[Copy Key] [Show Full Key]
Security Feature: Key is partially masked by default. Click "Show Full Key" to reveal complete value.
Copying the Key
Click the "Copy Key" button to copy the full key to clipboard. Useful for:
- Sharing with team members
- Configuring API clients
- Setting up automation scripts
- Documentation purposes
Key Immutability
Critical Limitation: Deployment access keys cannot be changed after creation.
Why Keys Cannot Be Changed
- Generated during ARM template deployment
- Embedded in multiple Azure resources
- Changing would require redeployment
- Intentional design for security and consistency
Implications
- Lost Key: Cannot retrieve if lost before first login
- Compromised Key: Cannot rotate key without redeployment
- Team Changes: Cannot revoke access for specific users
- Audit Requirements: Cannot enforce key rotation policies
What This Means for You
Before Deployment:
- Ensure you can access deployment outputs
- Have a secure place to store the key
- Plan for key management and distribution
After Deployment:
- Store key in password manager immediately
- Share only with authorized personnel
- Treat as a permanent credential
- Document key location for disaster recovery
If You Need to Change the Key
The only way to change the deployment access key is to redeploy:
-
Export Data (if needed)
- Back up any processed documents
- Export Cosmos DB data if required
-
Delete Deployment
- Delete the entire resource group
- Or delete all Alactic AGI resources individually
-
Redeploy
- Follow the Quick Start Guide
- New deployment generates new key
Cost Impact: Redeployment may incur costs based on retained storage and data.
Security Best Practices
Storing the Key
DO:
- Store in enterprise password manager (1Password, LastPass, Azure Key Vault)
- Encrypt if storing in files or documentation
- Use Azure Key Vault for programmatic access
- Maintain offline backup in secure location
DON'T:
- Commit to version control systems (Git, SVN)
- Email unencrypted
- Store in plain text files on local disk
- Share via insecure messaging platforms
Sharing with Team Members
Secure Sharing Methods:
- Encrypted email (PGP, S/MIME)
- Enterprise password manager with team vaults
- Azure Key Vault with RBAC
- Secure collaboration tools (SharePoint, Teams with DLP)
Insecure Sharing Methods:
- Slack or Teams direct messages
- SMS or text messages
- Unencrypted email
- Shared documents without encryption
- Verbal communication
Access Control
Since keys cannot be rotated, implement additional controls:
Application-Level
- Use Azure AD for portal access
- Implement IP whitelisting in NSG
- Enable Azure Front Door with WAF
- Add custom authentication layer
Network-Level
- Restrict NSG to specific IP ranges
- Use Azure Bastion for VM access
- Deploy in private VNET
- Implement VPN or ExpressRoute
Monitoring
- Enable Azure Monitor for access logs
- Set up alerts for unusual access patterns
- Review audit logs regularly
- Track login attempts and failures
API Access with Keys
HTTP Header Format
When making API requests, include the key in headers:
POST /api/start HTTP/1.1
Host: your-instance.com:3000
Content-Type: application/json
X-Deployment-Key: ak-7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2c3b4a5f6e
{
"urls": ["https://example.com"]
}
Header Name: X-Deployment-Key
Header Value: Full deployment key with ak- prefix
Query Parameter (EventSource Only)
For Server-Sent Events (SSE) streaming endpoints:
GET /api/stream/job-id?key=ak-7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2c3b4a5f6e HTTP/1.1
Host: your-instance.com:3000
Note: EventSource API doesn't support custom headers, so key is passed as query parameter.
cURL Examples
Processing URLs:
curl -X POST https://your-instance.com:3000/api/start \
-H "Content-Type: application/json" \
-H "X-Deployment-Key: ak-your-key-here" \
-d '{"urls": ["https://example.com"]}'
Checking Configuration:
curl https://your-instance.com:3000/api/config \
-H "X-Deployment-Key: ak-your-key-here"
Uploading PDF:
curl -X POST https://your-instance.com:3000/api/upload \
-H "X-Deployment-Key: ak-your-key-here" \
-F "file=@document.pdf"
Troubleshooting Key Issues
Invalid Key Error
Symptom: "Invalid deployment key" message
Causes:
- Typo in key (missing characters, wrong case)
- Extra whitespace before/after key
- Wrong key for this deployment
- Backend service not initialized
Solutions:
- Copy key again from deployment outputs
- Verify no extra spaces
- Wait 2-3 minutes for backend initialization
- Check backend service status via SSH
Key Not in Deployment Outputs
Symptom: deploymentAccessKey missing from outputs
Causes:
- Deployment failed before completion
- Custom template missing output definition
- Viewing wrong deployment
Solutions:
- Check deployment status in Azure Portal
- Verify deployment completed successfully
- Use Key Vault method to retrieve key
- Contact support if issue persists
Browser Not Remembering Key
Symptom: Must re-enter key after closing browser
Causes:
- Browser in incognito/private mode
- localStorage disabled
- Browser cache cleared
- Domain name changed
Solutions:
- Use normal browsing mode
- Enable localStorage in browser settings
- Re-enter key (it will persist in normal mode)
- Bookmark access gate with key in query (not recommended for security)
Multiple Deployments Confusion
Symptom: Using key from wrong deployment
Solution: Create a naming convention:
Production: ak-xxxxx (stored in production password vault)
Staging: ak-yyyyy (stored in staging password vault)
Development: ak-zzzzz (stored in dev password vault)
Label each key clearly with environment and deployment date.
Key Management Workflow
Initial Deployment
- Complete Azure Marketplace deployment
- Immediately copy deploymentAccessKey from outputs
- Store in enterprise password manager
- Share with authorized team members via secure channel
- Document key location in runbook
Daily Operations
- Users retrieve key from password manager
- Enter key once in browser
- Browser remembers key in localStorage
- No further authentication needed
- Key is sent automatically with all requests
Team Member Onboarding
- Verify new member is authorized
- Grant access to Key Vault (Azure RBAC)
- Share key via secure method
- Document access grant in audit log
- Provide training on key security
Key Compromise Response
If key is compromised:
- Immediate: Change NSG rules to block all traffic
- Short-term: Implement IP allowlist
- Long-term: Plan redeployment with new key
- Document: Incident report and lessons learned