Skip to main content

Auth & Keys

All Developer API requests use X-API-Key authentication.

Base URL

  • Production: https://api.indigenius.ai
  • Version prefix: /v1

Endpoints

  • POST /v1/auth/keys — create an API key
  • GET /v1/auth/keys — list API keys
  • GET /v1/auth/scopes — list supported scopes
  • PATCH /v1/auth/keys/{id}/scopes — replace key scopes
  • POST /v1/auth/keys/{id}/rotate — rotate key secret
  • POST /v1/auth/keys/{id}/revoke — revoke key

Test this section quickly

Create API key (DTO-accurate): 
curl -X POST "https://api.indigenius.ai/v1/auth/keys" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production key",
    "scopes": ["calls:read", "calls:write", "widgets:write"],
    "expiresAt": "2026-12-31T23:59:59.000Z",
    "rateLimitPerMinute": 120,
    "rateLimitPerHour": 2000,
    "allowedIps": ["102.88.10.5"],
    "callbackUrl": "https://client.example.com/hooks/indigenius"
  }'

curl -X GET "https://api.indigenius.ai/v1/auth/keys" \
  -H "X-API-Key: YOUR_API_KEY"
Update key scopes: 
curl -X PATCH "https://api.indigenius.ai/v1/auth/keys/665e4a34c65bb95f2f2d72e1/scopes" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "scopes": ["calls:read", "calls:write", "workflows:write"]
  }'
Rotate key: 
curl -X POST "https://api.indigenius.ai/v1/auth/keys/665e4a34c65bb95f2f2d72e1/rotate" \
  -H "X-API-Key: YOUR_API_KEY"
Revoke key: 
curl -X POST "https://api.indigenius.ai/v1/auth/keys/665e4a34c65bb95f2f2d72e1/revoke" \
  -H "X-API-Key: YOUR_API_KEY"
Example response: 
{
  "status": true,
  "message": "API keys fetched",
  "data": [
    {
      "id": "665e4a34c65bb95f2f2d72e1",
      "name": "Production key",
      "publicKey": "pk_live_7ecf0af44e8f4e48",
      "scopes": ["calls:read", "calls:write"],
      "status": "active"
    }
  ]
}

Scope model

Scopes are enforced per endpoint. Common examples:
  • keys:read, keys:write
  • calls:read, calls:write
  • assistants:read, assistants:write
  • widgets:read, widgets:write
  • workflows:read, workflows:write
  • analytics:read
  • billing:read
  • phone:read, phone:write
  • webhooks:read
  • create_studio:read, create_studio:write

Key lifecycle best practices

  1. Create separate keys per environment (dev, staging, prod).
  2. Restrict scopes to least privilege.
  3. Rotate keys regularly and immediately after suspected exposure.
  4. Revoke unused keys.

Common errors while testing

  • 401/404 invalid key — verify X-API-Key value and key status.
  • 403 scope denied — add required scope to key via PATCH /v1/auth/keys/{id}/scopes.
  • 400 validation — payload fields fail DTO constraints.