Authentication

API keys

The Developer API authenticates with personal access tokens. A key is bound to the user who created it and acts on that user’s behalf — there are no separate scopes or roles to manage.

How keys work

  • Format. Every key looks like dq_live_… and is unique to a single user.
  • Access. A key inherits its owner’s knowledge-base access — the KBs they own plus any shared with them read-only. There is nothing extra to configure.
  • Shown once. The full value is displayed only at creation time. If you lose it, revoke the key and create a new one.
  • Transport. Always send the key over HTTPS in the Authorization header as a Bearer token.

Sending the key

Add an Authorization: Bearer <key> header to every request. Read the key from the environment rather than hard-coding it.

bash
# Send your key as a Bearer token on every request
curl http://localhost:3000/api/v1/me \
  -H "Authorization: Bearer dq_live_xxxxxxxxxxxxxxxxxxxx"

# In Node.js
fetch("http://localhost:3000/api/v1/me", {
  headers: { Authorization: `Bearer ${process.env.DOCUQ_API_KEY}` }
})

Error responses

Auth failures use the uniform error envelope. A missing or invalid key returns 401 unauthorized; a valid key without access to a requested resource returns 403 forbidden.

401 — missing or invalid key

json
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid API key."
  }
}

403 — key valid but not permitted

json
{
  "error": {
    "code": "forbidden",
    "message": "Your key does not have access to this knowledge base."
  }
}

Security best practices

Store keys as secrets

Keep keys in an environment variable or a dedicated secret manager — never in source code, client-side bundles, or version control.

Treat the key as a password

A key grants full access to everything its owner can reach. Anyone holding it can read and write on your behalf.

Scope by ownership

A key reads from KBs you own and KBs shared with you (read-only), and can only write documents to KBs you own.

Rotate and revoke

If a key leaks, revoke it immediately in Settings → API Keys and mint a replacement. Revocation takes effect at once.