API keys
Create keys in the dashboard under your environment. A key is a bearer token you send on every request:The API selects API-key authentication when the token starts with
sk_. Always send the full token including the sk_ prefix, and keep the Bearer scheme.Key prefixes
The prefix tells you which environment type a key belongs to:| Prefix | Environment types |
|---|---|
sk_live_ | production, personal |
sk_test_ | dev, staging, custom |
What a key carries
Every key is bound to configuration that determines what it can reach:The single environment the key belongs to. A key can never access another environment.
An optional list of tenant IDs the key may use. Leave it empty to grant access to every tenant in the environment, or list specific tenant IDs to scope the key down.
An optional list of knowledge base IDs, narrowing access further within the allowed tenants.
The permissions the key holds, such as
tenants:read, knowledge_bases:write, query:rag. See Access & scopes.Default scopes
If you don’t specify scopes when creating a key, it receives a sensible default set for read/write on tenants, knowledge bases, and documents, plusquery:rag for running chats.
User sessions
Dashboard users authenticate with email/password or Google OAuth through the endpoints under/api/auth. Sessions are cookie-based; send the session cookie returned by sign-in. Session auth is required for organization-level administration — managing members, roles, environments, and invitations — which is intentionally not exposed to API keys.
Choosing the right caller
Use an API key
Provisioning tenants and knowledge bases, ingesting documents, running agents and chats, serving your end users.
Use a user session
Creating organizations, managing team members and roles, creating environments, accepting invitations.