Documentation

API Keys

Create, scope, rotate, and manage API keys for secure access to the Bolor Intelligence platform.

Creating API Keys

API keys are created through the dashboard or via the management API. Each key is associated with your organization and can be scoped to specific products and environments.

Via the Dashboard

  1. Log into your dashboard
  2. Navigate to API Keys in the sidebar
  3. Click Create New Key
  4. Give the key a descriptive name (e.g., "Production Backend" or "Staging")
  5. Select the product scope (all products or specific ones)
  6. Click Create and copy the key immediately

Via the API

curl
curl -X POST https://api.bolor.ai/v1/api-keys \
  -H "Authorization: Bearer sk-your-admin-key" \
  -H "Content-Type: application/json" \
  -d '{
  "name": "Production Backend",
  "scopes": ["orchestrai", "mindvault", "agentguard"],
  "environment": "production",
  "expires_in_days": 90
}'

# Response:
# {
#   "id": "key_abc123",
#   "name": "Production Backend",
#   "key": "sk-bolor-prod-xxxxxxxxxxxxxxxxxxxxxxxx",
#   "scopes": ["orchestrai", "mindvault", "agentguard"],
#   "environment": "production",
#   "expires_at": "2026-05-10T00:00:00Z",
#   "created_at": "2026-02-10T12:00:00Z"
# }

Important: The full API key is only shown once at creation time. Store it securely in a secrets manager or environment variable. If you lose a key, you will need to create a new one.

Scoping Keys to Products

By default, a new API key has access to all products on your plan. You can restrict keys to specific products to follow the principle of least privilege. A key scoped to only OrchestrAI and MindVault will receive a 403 error if used to call AgentGuard endpoints.

Available product scopes:

ScopeProduct
orchestraiOrchestrAI — Multi-Model Router
agentguardAgentGuard — Agent Safety
mindvaultMindVault — Enterprise Memory
complianceComplianceGraph — Governance
datareadyDataReady — Data Quality
evoagentEvoAgent — Self-Improving Agents
verticalVerticalAI — Industry Kits

Rotating Keys

Key rotation is a security best practice. Bolor Intelligence supports graceful key rotation with an overlap period, so you can deploy new keys before revoking old ones without downtime.

Rotation Process

  1. Create a new API key with the same scopes as the existing key
  2. Deploy the new key to your application servers
  3. Verify that requests are succeeding with the new key
  4. Revoke the old key once you have confirmed the new key works
Revoke a key via API
curl -X DELETE https://api.bolor.ai/v1/api-keys/key_abc123 \
  -H "Authorization: Bearer sk-your-admin-key"

# Response:
# {
#   "id": "key_abc123",
#   "revoked": true,
#   "revoked_at": "2026-02-14T15:30:00Z"
# }

Automatic Expiration

You can set an expiration date when creating a key. Expired keys are automatically revoked and return a 401 error. We recommend setting expiration to 90 days for production keys and 30 days for development keys.

Security Best Practices

Use environment variables

Never hardcode API keys in source code. Store them in environment variables or a secrets manager like AWS Secrets Manager, HashiCorp Vault, or Doppler.

Scope keys minimally

Give each key access only to the products it needs. A service that only uses OrchestrAI should not have a key with access to all seven products.

Separate keys per environment

Use different API keys for development, staging, and production. This limits blast radius if a key is compromised and makes it easier to audit usage.

Rotate keys regularly

Set expiration dates on all keys and rotate them before they expire. We recommend a 90-day rotation cycle for production keys.

Monitor key usage

Review API key usage in the dashboard regularly. Look for unexpected usage patterns, requests from unknown IPs, or access to products that a key should not be using.

Next Steps

  • Rate Limits →

    Understand the request quotas associated with each plan and how rate limiting works.

  • Webhooks →

    Set up webhook endpoints to receive real-time notifications about key events.