Remix Api Key Auth
PassAudited by ClawScan on May 1, 2026.
Overview
This is a simple instruction-only guide for setting up a Remix API key, with the main caution that API keys are sensitive and the verification step makes an authenticated API call.
This skill appears safe to use as an instruction guide. Before installing or following it, remember that a bearer API key is equivalent to delegated account access: keep it server-side, store it as a secret, do not paste it into browser/client code or logs, and test only in a non-production Remix project.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key may be able to act against the associated Remix account or project within that key's permissions.
A bearer API key grants delegated access to Remix APIs. This is directly aligned with the skill's purpose, but users should treat the key as a sensitive credential.
Create a new API key. Store it as a secret in your service runtime. Send: Authorization: Bearer <api_key>
Use the least-privileged key available, store it only server-side as a secret, avoid exposing it in browser code or logs, and rotate it if there is any chance it was leaked.
If run against the wrong project or account, the verification request could create or change a resource unintentionally.
The suggested verification uses an authenticated POST request, which may create or modify a Remix-side resource. The instruction limits it to a test project, making it proportionate but still worth noticing.
Run a cheap authenticated call first (for example, POST /v1/agents/games in a test project) to verify the key works.
Confirm the base URL, account, and project before testing, and use a disposable or test project for the first authenticated call.