Auth & Keys
How authentication works, how to obtain and manage API keys, and best practices for secure setup.
How authentication works
All API requests to Interlocute are authenticated using bearer tokens. Include your API key in the
Authorization header of every request:
Authorization: Bearer YOUR_API_KEY
Requests without a valid key return 401 Unauthorized.
Requests with a valid key that lacks the required scope return 403 Forbidden.
Obtaining your API key
- Sign in to the Interlocute dashboard
- Navigate to Settings ? API Keys
- Click Create Key and give it a descriptive name
- Copy the key — it is shown only once
Recommended local setup
Store your API key in an environment variable rather than hardcoding it:
# macOS / Linux
export INTERLOCUTE_API_KEY=your_key_here
# Windows PowerShell
$env:INTERLOCUTE_API_KEY = "your_key_here"Then reference it in your code:
// C#
var key = Environment.GetEnvironmentVariable("INTERLOCUTE_API_KEY");
// JavaScript
const key = process.env.INTERLOCUTE_API_KEY;appsettings.json or .env files that are checked into source control.
Key types
Interlocute supports two types of API keys:
Secret keys
Full-access keys for server-side use. These can manage nodes, read logs, and perform all operations. Never expose these in client-side code.
Publishable keys
Restricted keys designed for client-side embedding. Scoped to specific domains via allowlists and limited to chat interactions. Safe to include in front-end code.
Key rotation
To rotate a key, create a new key, update your integrations to use it, then delete the old key. Both keys will work simultaneously during the transition. There is no downtime during rotation.
Scoping & least privilege
When creating keys, assign only the permissions your integration needs. If an integration only sends chat messages, create a key scoped to chat operations. This limits the blast radius if a key is compromised.
Next steps
- API Overview — endpoint model and error semantics
- Quickstart — send your first request