API Keys¶
Every request to the Redact proxy must be authenticated with a workspace API key. Keys are prefixed xr_live_ and are provisioned by your Xybern administrator, scoped to your workspace domain.
How Keys Work¶
Keys are created by your Xybern account administrator and assigned directly to your workspace. You do not create keys yourself.
When a key is provisioned for your workspace, it appears in the API Keys tab of your Redact dashboard. From there you can copy it and use it in your application or agent pipeline.
Copying Your Key¶
- Go to API Keys in your Redact workspace
- Find your key in the Your Keys table
- Click Copy Key in the row
The full key is available to copy at any time from the dashboard.
Domain Scoping¶
Each Redact workspace is configured for a single domain: Legal, Healthcare, Finance, or General. Keys provisioned for your workspace are automatically scoped to that domain.
A key scoped to finance will only process requests tagged with that document class. Requests with a different class are blocked with a 403 and logged in the vault as blocked records.
This enforces least-privilege access at the infrastructure level. An agent processing financial documents cannot accidentally access healthcare or legal data even if the key is reused or leaked.
| Workspace Domain | Key Scope | Blocked Classes |
|---|---|---|
| Legal | legal |
finance, healthcare, general |
| Healthcare | healthcare |
finance, legal, general |
| Finance | finance |
legal, healthcare, general |
| General | Unrestricted | None |
Using the Key¶
Pass the key in the Authorization header on every proxy request:
curl -X POST https://www.xybern.com/api/redact/{workspace_id}/proxy \
-H "Authorization: Bearer xr_live_..." \
-H "Content-Type: application/json" \
-d '{
"model": "gpt-4o",
"messages": [{"role": "user", "content": "Summarise this contract: ..."}]
}'
Key Status¶
| Status | Meaning |
|---|---|
| Active | Key is valid and accepts requests |
| Revoked | Key has been deactivated by your administrator |
Revoked keys return 401 immediately. If your key is revoked, contact your Xybern administrator to have a new one provisioned.
Key Structure¶
| Field | Example | Description |
|---|---|---|
name |
Legal-API |
Human-readable label set by your administrator |
key_prefix |
xr_live_Li3u-3g7 |
First 16 characters, shown in the dashboard for identification |
allowed_doc_classes |
["finance"] |
Domain restriction applied automatically on every request |
last_used_at |
2026-05-22T14:30:00Z |
Timestamp of the most recent authenticated request |
is_active |
true / false |
False means revoked |
Security Notes¶
- Keys are hashed with SHA-256 in the database. Xybern stores the full key for display in your dashboard only.
- If a key is compromised, contact your administrator immediately to revoke it and provision a replacement.
- All vault records reference the key that was used, so you can trace every request back to a specific key in the audit log.
Related¶
- Proxy Endpoint - full request and response reference
- Policies - configure which entity types are anonymized
- Vault & Audit Trail - every request authenticated with your key is logged here