Create an API Key
- Go to Settings > Integrations > API Keys
- Click Create API Key
- Enter a name for the key
- Select the scopes your integration needs (see Available Scopes below)
- Optionally add IP allowlist restrictions (CIDR notation)
- Click Create
- Copy the key immediately — it is shown only once
Scopes
Each key is assigned scopes that control endpoint access:
A key with a
write scope automatically has the corresponding read scope. For example, knowledge:write includes knowledge:read. The * scope satisfies any scope check and overrides every other selection.
Make API Requests
Include the API key in theX-API-Key header:
/api/v1/. See the Public API v1 reference for available endpoints.
Scoped API keys only work with
/api/v1/ endpoints. They cannot be used to authenticate SDK/widget requests (/api/sdk/v1/) or internal API requests — those use widget authentication and Clerk JWT respectively.Security Features
IP allowlisting — Restrict a key to specific IP addresses or CIDR ranges. Requests from other IPs are rejected. Automatic lockout — After 10 consecutive authentication failures, a key is locked. Unlock it from the API Keys management page. Audit logging — Every API request is logged with the key used, endpoint called, response status, and client IP. Key rotation — Rotate a key to generate a new secret while keeping the same scopes and settings. An optional grace period keeps the old key active during the transition.Rotate a Key
- Go to Settings > Integrations > API Keys
- Click on the key you want to rotate
- Click Rotate Key
- Set a grace period if needed (the old key stays active for that duration)
- Copy the new key and update your integration
- After the grace period expires, the old key stops working
Revoke a Key
- Go to Settings > Integrations > API Keys
- Click on the key you want to revoke
- Click Revoke
Migrate from Legacy API Keys
If you have a legacy API key (configured in Settings > Integrations > API Configuration):- Create a new API v1 key with the scopes your integration needs
- Update your integration to use the new key and the
/api/v1/endpoints - Delete the legacy key from Settings > Integrations > API Configuration
/api/). API v1 keys are scoped to /api/v1/ endpoints, so you only grant the access your integration actually needs.
Troubleshooting
403 Forbidden
403 Forbidden
- The key is valid but does not have the required scope. Edit the key to add the missing scope.
429 Too Many Requests
429 Too Many Requests
- Rate limit exceeded. Wait and retry. The limit is 300 requests per minute per IP.
