Authentication
API keys allow your applications to access IntelliRepo programmatically. This guide covers creating, using, and securing API keys.
API Key Format
IntelliRepo API keys have a specific format:
rh_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx- Prefix:
rh_live_ - Followed by 32 random characters
Creating an API Key
Via Web UI
- Go to Settings > API Keys
- Click Create API Key
- Enter a descriptive name (e.g., "Slack Bot", "Website Widget")
- Select scopes (see below)
- Optionally restrict to specific collections
- Click Create
Important: The full API key is shown only once. Copy it immediately and store it securely.
Via API
curl -X POST https://api.intellirepo.ai/api/v1/api-keys \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My Integration",
"scopes": ["read", "chat"]
}'Using API Keys
Include the API key in the Authorization header:
curl https://api.intellirepo.ai/api/v1/collections \
-H "Authorization: Bearer rh_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"The key authenticates as your organization with the permissions you granted.
Scopes
Scopes control what the API key can do:
| Scope | Allows |
|---|---|
read | List collections, view documents, search |
write | Upload documents, update tags, delete documents |
chat | Chat and search endpoints |
Recommended Scope Combinations
| Use Case | Scopes |
|---|---|
| Chat bot | read, chat |
| Document uploader | read, write |
| Full integration | read, write, chat |
| Search-only | read |
Collection Restrictions
By default, API keys can access all collections. You can restrict access:
{
"name": "HR Bot",
"scopes": ["read", "chat"],
"collection_ids": ["uuid-1", "uuid-2"]
}This key can only access the specified collections.
When to Restrict
- Public-facing widgets: Only access public documentation
- Department integrations: Only access department-specific content
- Partner access: Limit to specific shared collections
Managing API Keys
Viewing Keys
Go to Settings > API Keys to see:
- Key name
- Last 4 characters (for identification)
- Scopes
- Created date
- Last used
Revoking Keys
If a key is compromised or no longer needed:
- Go to Settings > API Keys
- Find the key
- Click Revoke
- The key is immediately invalidated
Tip: Create a new key before revoking the old one to avoid downtime.
Security Best Practices
Use Descriptive Names
Name keys by their purpose: "Production Widget", "Slack Integration", "CI/CD Pipeline"
Minimum Scopes
Only grant the permissions the integration needs. A chat bot doesn't need write access.
Rotate Regularly
Periodically create new keys and revoke old ones, especially for production systems.
Never Commit Keys
Use environment variables, not hardcoded keys:
// Good
const apiKey = process.env.INTELLIREPO_API_KEY;
// Bad
const apiKey = "rh_live_abc123...";Monitor Usage
Check audit logs for unexpected API key activity.
Restrict Collections
For external-facing integrations, restrict to only necessary collections.
Troubleshooting
"Invalid API key"
- Verify the key is correct (copy/paste carefully)
- Check if the key was revoked
- Ensure the key belongs to your organization
"Insufficient permissions"
- Check the key's scopes include the required permission
- Verify collection access if restricted
"Rate limit exceeded"
- Check current usage in Settings > Usage
- Upgrade plan or wait for the next billing cycle
Audit Trail
All API key activity is logged:
- Key creation and revocation
- Endpoints accessed
- Collections queried
- Errors and rate limit hits
View in Settings > Audit Logs.
Related Articles
Need Help?
Contact our support team if you have questions about API authentication.