DocIntell is currently invite-only. Contact your account manager to get started.
Overview
DocIntell uses API keys for programmatic access to the platform. Each API key:- Is scoped to a single tenant (your organization)
- Can be either
live(production) ortest(development) - Is hashed before storage (we never store plaintext keys)
- Can be rotated with zero downtime using grace periods
- Can be revoked immediately if compromised
Key Environments
DocIntell supports two key environments:Creating an API Key
Create a new API key by callingPOST /v1/keys:
Listing Your API Keys
View all API keys in your account withGET /v1/keys:
For security, the full API key is never shown after creation. Only the prefix (
dk_live_) and last 4 characters are displayed for identification.Response Fields
Rotating API Keys
Key rotation is the recommended way to update your API keys without service disruption. When you rotate a key:- A new key is created
- The old key is marked as deprecated (but still works)
- You have 7 days to migrate your systems
- After 7 days, the old key automatically expires
Why Rotate Keys?
Security Best Practice
Regular rotation limits the window of exposure if a key is compromised.
Zero Downtime
Grace period allows gradual migration without service interruption.
Compliance
Many compliance frameworks require periodic credential rotation.
Incident Response
Quick response to suspected key compromise without breaking production.
Step-by-Step Rotation
1
Initiate Rotation
Call Response:
POST /v1/keys/rotate to create a new key:2
Update Your Applications
During the 7-day grace period, update your applications to use the new key:
- Update environment variables
- Redeploy services with the new key
- Update CI/CD pipelines
- Update secrets in your secrets manager (AWS Secrets Manager, GCP Secret Manager, etc.)
Both the old and new keys work during the grace period. There’s no rush to migrate everything at once.
3
Monitor Usage
Track which systems are still using the old key by checking the If the deprecated key’s
last_used_at timestamp:last_used_at timestamp is recent, some systems are still using it.4
Wait for Grace Period to Expire
After 7 days, the old key automatically expires. If you’ve migrated all systems, you can manually revoke it early:
Grace Period Details
The 7-day grace period is fixed and cannot be extended. Plan your migration accordingly.
Revoking API Keys
If a key is compromised or no longer needed, revoke it immediately withDELETE /v1/keys/{key_id}:
204 No Content
When to Revoke vs Rotate
Revoked keys are retained in the database for audit purposes but cannot be used for authentication.
Monitoring Your API Keys
Effective API key monitoring helps you maintain security, track usage, and prevent service disruptions during key rotation. TheGET /v1/keys endpoint provides comprehensive visibility into your key inventory.
List All Keys
Retrieve all API keys in your account with their metadata:Query Parameters
Example: Hide deprecated keys
Response Fields
Each key in the response includes the following fields:For security, the full API key is never shown after creation. Only the prefix (
dk_live_) and last 4 characters are displayed for identification.Key Status Lifecycle
API keys transition through three lifecycle states:1
Active
Normal operation
- Key is working and valid
status: "active"is_active: true- Can authenticate API requests
- No expiration date
2
Deprecated
Grace period after rotation
- Key was replaced via rotation
status: "deprecated"is_active: true(still works!)- Can still authenticate for 7 days
- Monitor
grace_period_days_remaining - Automatically expires after grace period
3
Expired
Grace period ended
- Key can no longer authenticate
status: "expired"is_active: false- Retained for audit purposes
- Cannot be reactivated (create a new key instead)
Monitoring Best Practices
Track Unused Keys
Identify keys that haven’t been used in 30+ days for security audits.
Monitor Grace Periods
Track keys nearing expiration during rotation.
Verify Active Keys
Ensure production services use active (non-deprecated) keys.
Set Up Alerts
Create automated alerts for key expiration.Example cron job (daily check):
Example: Automated Key Health Check
Here’s a complete script that monitors API key health and warns about potential issues:Best Practices
Store Keys Securely
Environment Variables
Store keys in environment variables, never in code:Access in your application:
Secrets Managers
Use a secrets manager for production:
- AWS Secrets Manager
- GCP Secret Manager
- HashiCorp Vault
- Azure Key Vault
Use Separate Keys per Environment
Test keys (
dk_test_) are free and never billed. Use them liberally for development and testing.Rotate Keys Regularly
1
Set a Rotation Schedule
Rotate keys every 90 days as a security best practice.Set calendar reminders or use automation:
2
Monitor Grace Periods
Track upcoming key expirations to avoid service disruptions.Check
grace_period_days_remaining in the API response.3
Audit Key Usage
Review
last_used_at timestamps monthly to identify:- Unused keys (can be revoked)
- Keys in use by unknown systems (investigate)
Minimize Key Scope
One Key per Service
Create separate API keys for each service or application.This limits the blast radius if one key is compromised.
Descriptive Names
Use clear, descriptive names:
- “Production API Server - us-east-1”
- “CI/CD Pipeline - GitHub Actions”
“My Key”“Test”
Monitor for Suspicious Activity
Checklast_used_at timestamps regularly:
Error Handling
Missing Authorization Header
401 Unauthorized
Fix: Include the Authorization: Bearer header in all requests.
Invalid API Key
401 Unauthorized
Possible Causes:
- Key was revoked
- Key expired after grace period
- Typo in the key value
- Wrong environment (using test key on production URL or vice versa)
Malformed Authorization Header
401 Unauthorized
Fix: Ensure the header format is exactly: Authorization: Bearer dk_live_...
Next Steps
Authentication Guide
Learn how to use your API key in requests
Upload Your First Document
Start extracting data from PDFs
Webhook Setup
Get real-time notifications for processing events
Error Handling
Handle API errors gracefully