Overview
All Developer API requests authenticate with X-API-Key. This page covers every endpoint for managing the keys themselves.
Base URL: https://api.indigenius.ai/v1
Required scope for key management: keys:read (read), keys:write (create/update/rotate/revoke)
POST /v1/auth/keys
Creates a new API key with specific scopes and optional rate limits.
The full API key secret is returned only in this response. Store it
immediately in a secret manager. If it is lost, rotate the key — it cannot be
retrieved again.
201 Created
GET /v1/auth/keys
Lists all API keys for your organization.
200 OK
GET /v1/auth/scopes
Returns all supported permission scopes.
PATCH /v1/auth/keys/{id}/scopes
Replaces the scopes on a key. This is a full replacement — include all scopes you want the key to have, not just new ones.
POST /v1/auth/keys/{id}/rotate
Issues a new secret for the key while keeping the same id, name, and scopes. The old secret is immediately invalidated.
Update INDIGENIUS_API_KEY in all environments that use this key before
rotating. The old secret stops working immediately.
POST /v1/auth/keys/{id}/revoke
Permanently disables a key. All requests using it will return 401 immediately. This action cannot be undone.
Scope reference
Key lifecycle best practices
- Create separate keys for
dev, staging, and prod.
- Grant only the scopes each key needs — never use an all-scope key in production.
- Set
expiresAt on production keys and rotate before expiry.
- Revoke unused keys promptly — an idle key is an unnecessary attack surface.
- Rotate immediately after any suspected exposure.