Skip to main content
This guide covers how to manage your DocIntell API keys programmatically. API keys provide secure access to the DocIntell API for your applications and services.
DocIntell is currently invite-only. Contact your account manager to get started.

Overview

DocIntell uses API keys for programmatic access to the platform. Each API key:
  • Is scoped to a single tenant (your organization)
  • Can be either live (production) or test (development)
  • Is hashed before storage (we never store plaintext keys)
  • Can be rotated with zero downtime using grace periods
  • Can be revoked immediately if compromised

Key Environments

DocIntell supports two key environments:
Always use test keys for development and staging environments. Only use live keys in production.

Creating an API Key

Create a new API key by calling POST /v1/keys:
Response:
The API key is shown ONLY ONCE in this response. Copy it immediately and store it securely. If you lose the key, you’ll need to create a new one.

Listing Your API Keys

View all API keys in your account with GET /v1/keys:
Response:
For security, the full API key is never shown after creation. Only the prefix (dk_live_) and last 4 characters are displayed for identification.

Response Fields

Rotating API Keys

Key rotation is the recommended way to update your API keys without service disruption. When you rotate a key:
  1. A new key is created
  2. The old key is marked as deprecated (but still works)
  3. You have 7 days to migrate your systems
  4. After 7 days, the old key automatically expires

Why Rotate Keys?

Security Best Practice

Regular rotation limits the window of exposure if a key is compromised.

Zero Downtime

Grace period allows gradual migration without service interruption.

Compliance

Many compliance frameworks require periodic credential rotation.

Incident Response

Quick response to suspected key compromise without breaking production.

Step-by-Step Rotation

1

Initiate Rotation

Call POST /v1/keys/rotate to create a new key:
Response:
Save the new_key.api_key value immediately - it’s shown only in this response!
2

Update Your Applications

During the 7-day grace period, update your applications to use the new key:
  • Update environment variables
  • Redeploy services with the new key
  • Update CI/CD pipelines
  • Update secrets in your secrets manager (AWS Secrets Manager, GCP Secret Manager, etc.)
Both the old and new keys work during the grace period. There’s no rush to migrate everything at once.
3

Monitor Usage

Track which systems are still using the old key by checking the last_used_at timestamp:
If the deprecated key’s last_used_at timestamp is recent, some systems are still using it.
4

Wait for Grace Period to Expire

After 7 days, the old key automatically expires. If you’ve migrated all systems, you can manually revoke it early:

Grace Period Details

The 7-day grace period is fixed and cannot be extended. Plan your migration accordingly.

Revoking API Keys

If a key is compromised or no longer needed, revoke it immediately with DELETE /v1/keys/{key_id}:
Response: 204 No Content
Revocation is immediate. The key stops working as soon as the request completes. There is no grace period.

When to Revoke vs Rotate

Revoked keys are retained in the database for audit purposes but cannot be used for authentication.

Monitoring Your API Keys

Effective API key monitoring helps you maintain security, track usage, and prevent service disruptions during key rotation. The GET /v1/keys endpoint provides comprehensive visibility into your key inventory.

List All Keys

Retrieve all API keys in your account with their metadata:
Example Response:

Query Parameters

Example: Hide deprecated keys

Response Fields

Each key in the response includes the following fields:
For security, the full API key is never shown after creation. Only the prefix (dk_live_) and last 4 characters are displayed for identification.

Key Status Lifecycle

API keys transition through three lifecycle states:
1

Active

Normal operation
  • Key is working and valid
  • status: "active"
  • is_active: true
  • Can authenticate API requests
  • No expiration date
2

Deprecated

Grace period after rotation
  • Key was replaced via rotation
  • status: "deprecated"
  • is_active: true (still works!)
  • Can still authenticate for 7 days
  • Monitor grace_period_days_remaining
  • Automatically expires after grace period
Timeline:
3

Expired

Grace period ended
  • Key can no longer authenticate
  • status: "expired"
  • is_active: false
  • Retained for audit purposes
  • Cannot be reactivated (create a new key instead)
Revoked keys have a special status:
  • status: "revoked" (not shown in lifecycle above)
  • is_active: false
  • Immediately stopped (no grace period)
  • Result of manual DELETE /v1/keys/{key_id} call

Monitoring Best Practices

Track Unused Keys

Identify keys that haven’t been used in 30+ days for security audits.

Monitor Grace Periods

Track keys nearing expiration during rotation.

Verify Active Keys

Ensure production services use active (non-deprecated) keys.

Set Up Alerts

Create automated alerts for key expiration.Example cron job (daily check):

Example: Automated Key Health Check

Here’s a complete script that monitors API key health and warns about potential issues:
Usage:
Integrate this health check into your monitoring stack:
  • Send alerts to Slack or PagerDuty when issues are detected
  • Track key usage metrics in Datadog or Prometheus
  • Run checks before deployments to catch expiring keys early

Best Practices

Store Keys Securely

Environment Variables

Store keys in environment variables, never in code:
Access in your application:

Secrets Managers

Use a secrets manager for production:
  • AWS Secrets Manager
  • GCP Secret Manager
  • HashiCorp Vault
  • Azure Key Vault
Never commit API keys to version control. Add .env files to your .gitignore:

Use Separate Keys per Environment

Test keys (dk_test_) are free and never billed. Use them liberally for development and testing.

Rotate Keys Regularly

1

Set a Rotation Schedule

Rotate keys every 90 days as a security best practice.Set calendar reminders or use automation:
2

Monitor Grace Periods

Track upcoming key expirations to avoid service disruptions.Check grace_period_days_remaining in the API response.
3

Audit Key Usage

Review last_used_at timestamps monthly to identify:
  • Unused keys (can be revoked)
  • Keys in use by unknown systems (investigate)

Minimize Key Scope

One Key per Service

Create separate API keys for each service or application.This limits the blast radius if one key is compromised.

Descriptive Names

Use clear, descriptive names:
  • “Production API Server - us-east-1”
  • “CI/CD Pipeline - GitHub Actions”
  • “My Key”
  • “Test”

Monitor for Suspicious Activity

Check last_used_at timestamps regularly:
If a key shows unexpected usage, revoke it immediately and investigate.

Error Handling

Missing Authorization Header

HTTP Status: 401 Unauthorized Fix: Include the Authorization: Bearer header in all requests.

Invalid API Key

HTTP Status: 401 Unauthorized Possible Causes:
  • Key was revoked
  • Key expired after grace period
  • Typo in the key value
  • Wrong environment (using test key on production URL or vice versa)

Malformed Authorization Header

HTTP Status: 401 Unauthorized Fix: Ensure the header format is exactly: Authorization: Bearer dk_live_...

Next Steps

Authentication Guide

Learn how to use your API key in requests

Upload Your First Document

Start extracting data from PDFs

Webhook Setup

Get real-time notifications for processing events

Error Handling

Handle API errors gracefully