Skip to main content

Overview

All Developer API requests authenticate with X-API-Key. This page covers every endpoint for managing the keys themselves. Base URL: https://api.indigenius.ai/v1 Required scope for key management: keys:read (read), keys:write (create/update/rotate/revoke)

POST /v1/auth/keys

Creates a new API key with specific scopes and optional rate limits.
The full API key secret is returned only in this response. Store it immediately in a secret manager. If it is lost, rotate the key — it cannot be retrieved again.
201 Created

GET /v1/auth/keys

Lists all API keys for your organization.
200 OK

GET /v1/auth/scopes

Returns all supported permission scopes.

PATCH /v1/auth/keys/{id}/scopes

Replaces the scopes on a key. This is a full replacement — include all scopes you want the key to have, not just new ones.

POST /v1/auth/keys/{id}/rotate

Issues a new secret for the key while keeping the same id, name, and scopes. The old secret is immediately invalidated.
Update INDIGENIUS_API_KEY in all environments that use this key before rotating. The old secret stops working immediately.

POST /v1/auth/keys/{id}/revoke

Permanently disables a key. All requests using it will return 401 immediately. This action cannot be undone.

Scope reference


Key lifecycle best practices

  1. Create separate keys for dev, staging, and prod.
  2. Grant only the scopes each key needs — never use an all-scope key in production.
  3. Set expiresAt on production keys and rotate before expiry.
  4. Revoke unused keys promptly — an idle key is an unnecessary attack surface.
  5. Rotate immediately after any suspected exposure.