Authentication
Bearer tokens
Every authenticated request requires a Bearer token issued at customer
onboarding. Tokens look like aiactr_ followed by 64 hex
characters. They are tied to your customer record and your tier.
Authorization: Bearer aiactr_3f8a2c1d…Where you get yours
The first welcome email after Stripe checkout contains your API key — shown once. Store it in your secret manager immediately. We hash the key on our side; if you lose it, you'll need to rotate.
Rotation
Email [email protected] to rotate. We disable the old key and issue a new one. Self-serve rotation is on the roadmap.
Rate limits
| Tier | API requests / day | Webhook deliveries / month |
|---|---|---|
| Indie | 1,000 | 500 |
| Team | 10,000 | 5,000 |
| GPAI | 100,000 | 50,000 |
| Embedded | custom | custom |
Hitting the daily API quota returns 429 Too Many Requests with
an X-RateLimit-Reset header. Webhook deliveries are not throttled
by us — but please don't deliberately ignore retries either.
Public endpoints (no auth)
GET /v1/health— pipeline statusGET /v1/topics— topic taxonomyGET /v1/sources— source list with cadence
Stripe webhook (separate auth)
POST /v1/webhooks/stripe verifies the
Stripe-Signature header against our Stripe webhook secret. It
is not a Bearer-token endpoint — Stripe authenticates via HMAC.