Platform
API Keys
Create, use, rotate, and revoke API keys for secure server-side API access.
RIXL authenticates API requests with project-scoped keys sent in the X-API-Key header.
Server-Side Only
Never expose API keys in frontend code, mobile binaries, or public repositories.
Create an API Key
Open your project in the dashboard and navigate to Settings → API Keys.
Click Create API Key and choose a descriptive name (example: prod-ingest-service).
Copy the key immediately and store it in your secret manager or environment variables.
Shown Once
The raw key value is only shown once at creation time. If lost, revoke and create a new key.
Authenticate Requests
Use the API base URL https://api.rixl.com and include X-API-Key on each request.
curl -X GET "https://api.rixl.com/projects" \
-H "X-API-Key: YOUR_PROJECT_API_KEY"const response = await fetch("https://api.rixl.com/projects", {
headers: {
"X-API-Key": process.env.RIXL_API_KEY,
},
});Verify Setup
Send a read request with your key:
curl -X GET "https://api.rixl.com/projects" \
-H "X-API-Key: YOUR_PROJECT_API_KEY"200means authentication works.401usually means missing, malformed, revoked, or expired key.403usually means project/key scope mismatch.
Rotate and Revoke Keys
- Create a replacement key.
- Deploy the new key to all services.
- Confirm traffic uses the new key.
- Revoke the old key.
Revoke compromised or unused keys immediately.
Security Checklist
- Use separate keys per environment (
dev,staging,prod). - Use separate keys per service to improve auditability and blast-radius control.
- Use descriptive key names for service ownership and audits.
- Keep keys in secret managers, not source code.
- Monitor and alert on repeated
401/403errors.