Guides · 01

Authentication and API keys

How to authenticate requests with an API key, scopes and limits.

Every request to the LOCRAI API is authenticated with a personal key, generated from the dashboard in the API Keys section. The key begins with the idp_live_ prefix and should be treated like a password: don't share it and don't include it in client-side code.

Sending the key

You can pass the key in two equivalent ways: in the Authorization header as a Bearer token, or in the X-Api-Key header. Choose whichever is more convenient for your client.

Authorization headerbash

curl https://app.locrai.com/api/v1/documents \
  -H "Authorization: Bearer idp_live_xxxxxxxxxxxxxxxxxxxx"

X-Api-Key headerbash

curl https://app.locrai.com/api/v1/documents \
  -H "X-Api-Key: idp_live_xxxxxxxxxxxxxxxxxxxx"

Scopes and permissions

Each key has one or more scopes: read for read requests (GET and export), write to create, update and delete. A key lacking the required scope receives a 403 response.

Errors and limits

A missing or invalid key returns 401. The API enforces a limit of 120 requests per minute per key: above the threshold you receive 429 and will need to retry shortly after.

401 Unauthorizedjson

{ "message": "Invalid API key." }

Open the guideUploading a document

Ready to integrate LOCRAI?

Generate an API key from the dashboard and get started, or write to us: we'll help you connect LOCRAI to your systems, including custom connectors.