Authentication
API keys — generate, use, scopes, rotate, and revoke.
Authentication
QANATIX uses API keys for authentication. Every request must include a valid key in the Authorization header.
Generate a key
curl -X POST https://api.qanatix.com/api/v1/auth/keys \
-H "X-Tenant-Id: your-tenant-id" \
-H "Content-Type: application/json" \
-d '{
"name": "production-key",
"scopes": ["search", "ingest", "entities"]
}'{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "production-key",
"key": "sk_live_abc123def456...",
"scopes": ["search", "ingest", "entities"],
"message": "Store this key securely — it cannot be retrieved again."
}Keys use the format sk_live_<64 hex chars>. The key is shown once — store it securely.
Use the key
Include it in the Authorization header:
curl -H "Authorization: Bearer sk_live_abc123..." \
-X POST https://api.qanatix.com/api/v1/search/manufacturing \
-d '{"query": "M8 bolt stainless"}'Python:
import httpx
client = httpx.AsyncClient(
base_url="https://api.qanatix.com/api/v1",
headers={"Authorization": "Bearer sk_live_abc123..."},
)
resp = await client.post("/search/manufacturing", json={"query": "M8 bolt"})Scopes
| Scope | Allows |
|---|---|
search | Query the search API |
ingest | Push data via ingestion endpoints |
entities | CRUD on entities (create, read, update, delete) |
admin | Tenant management, reindex, export, usage stats |
The admin scope implicitly grants all other scopes.
Create narrow keys for specific use cases:
{"name": "search-only", "scopes": ["search"]}
{"name": "data-pipeline", "scopes": ["ingest", "entities"]}
{"name": "full-access", "scopes": ["search", "ingest", "entities", "admin"]}Key expiration
Keys can have an optional expiration:
{
"name": "temp-key",
"scopes": ["search"],
"expires_at": "2026-04-01T00:00:00Z"
}Expired keys are automatically rejected.
Rotate a key
Generate a new key, immediately invalidating the old one:
curl -X POST https://api.qanatix.com/api/v1/auth/keys/\{key_id\}/rotate \
-H "Authorization: Bearer sk_live_abc123..."Returns a new key value with the same name, scopes, and expiration. Update your applications immediately.
Revoke a key
curl -X DELETE https://api.qanatix.com/api/v1/auth/keys/\{key_id\} \
-H "Authorization: Bearer sk_live_abc123..."The key stops working immediately. Returns 204 No Content.
List keys
curl https://api.qanatix.com/api/v1/auth/keys \
-H "Authorization: Bearer sk_live_abc123..."Returns all active keys for your tenant, ordered by creation date. Key values are never returned — only name, scopes, and metadata.
Rate limits
Requests are rate-limited per tenant by plan tier. See Rate Limits for details.
Rate limit headers are included in every response:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 57
X-RateLimit-Reset: 1709251200Development mode
In development (ENV=development), you can use the X-Tenant-Id header instead of a Bearer token for testing. This is disabled in production.