Create Retriever API Key
Generate a scoped API key for executing this specific retriever.
Use Cases:
- Provide external services with execution-only access
- Embed retriever calls in customer applications
- Create separate keys for staging vs production
- Implement per-customer access keys for SaaS products
Security:
- Keys grant EXECUTE_RETRIEVER permission only
- Keys are scoped to single retriever (cannot access others)
- Keys inherit org’s rate limits
- Keys can be revoked instantly
- Key prefix (ret_sk_abc…) shown in UI for identification
Ownership:
- Only the organization that owns the retriever can create keys
- Verified by matching internal_id + namespace_id
Key Format:
- Prefix: ret_sk_
- Length: 60 characters
- Example: ret_sk_abcdefghijklmnopqrstuvwxyz123456789…
Response:
- Plaintext key shown ONLY ONCE in response
- Save the key immediately - it cannot be retrieved later
- Key prefix stored for identification in UI
Documentation Index
Fetch the complete documentation index at: https://docs.mixpeek.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Headers
REQUIRED: Bearer token authentication using your API key. Format: 'Bearer sk_xxxxxxxxxxxxx'. You can create API keys in the Mixpeek dashboard under Organization Settings.
"Bearer YOUR_API_KEY"
"Bearer YOUR_STRIPE_API_KEY"
Namespace identifier for scoping this request. All resources (collections, buckets, taxonomies, etc.) are scoped to a namespace. You can provide either the namespace name or namespace ID. Format: ns_xxxxxxxxxxxxx (ID) or a custom name like 'my-namespace'. Falls back to ?namespace= query parameter if the header is omitted.
"ns_abc123def456"
"production"
"my-namespace"
Path Parameters
Body
Request payload for creating a retriever-scoped API key.
Retriever keys are automatically scoped to execute a specific retriever. The scope and permissions are auto-populated by the service layer and cannot be modified.
Example: { "name": "production-api", "description": "Production API key for customer integrations", "expires_at": "2026-12-31T23:59:59Z" }
Human-friendly key label for identification.
1 - 100Optional description explaining the key's purpose.
500Optional UTC timestamp when the key automatically expires.
Optional list of allowed HTTP origins for this API key. When set, browser requests must include a matching Origin header. Supports exact matches and wildcard subdomains (e.g., 'https://*.example.com'). Defense-in-depth: Origin headers can be spoofed from non-browser contexts.
[
"https://docs.example.com",
"https://*.example.com"
]Response
Successful Response
Response model including the plaintext key (shown only once).
This response is returned immediately after key creation. The plaintext key is shown ONLY in this response and cannot be retrieved later. Users should save the key immediately for secure storage.
Security note:
The key field contains the plaintext secret and should be:
- Stored securely by the user (environment variables, secrets manager)
- Never committed to version control
- Never logged or exposed in error messages
- Rotated/revoked if accidentally exposed
SHA-256 hash of the plaintext key.
Organization internal identifier.
Identifier of the user who owns the key.
Human-friendly key label.
Plaintext API key (shown only once). Prefix: ret_sk_. Store securely immediately after creation.
Public identifier for the API key.
Visible prefix of the API key for user identification (e.g., 'sk_abc123...'). Shows the first 10 characters of the plaintext key to help users identify which key is which in lists, without exposing the full secret. This follows industry best practices from GitHub, Stripe, and AWS. Generated automatically for new keys. Older keys may not have this field.
10 - 13"sk_abc123..."
Type of API key. STANDARD for regular organization keys, MARKETPLACE_SUBSCRIPTION for marketplace subscription access tokens.
standard, marketplace_subscription, retriever, user_scoped, session Marketplace subscription ID if this is a marketplace subscription key. Only set when key_type is MARKETPLACE_SUBSCRIPTION.
Organization public identifier (denormalized).
Optional description explaining the key usage.
Permissions granted to the key.
Simplified API key permissions.
This four-value enum replaces the legacy 16-permission model. Keep usage simple: prefer the least privileged option that satisfies the workflow.
Hierarchy (strongest -> weakest): ADMIN > DELETE > WRITE > READ.
read, write, delete, admin Resource-level scopes restricting the key.
Optional per-key rate limit override in requests per minute.
Lifecycle status of the key (active, revoked, expired).
active, revoked, expired UTC timestamp when the key automatically expires.
UTC timestamp of the last successful request using the key.
UTC timestamp when the key was created.
User identifier that created the key.
UTC timestamp when the key was revoked (if applicable).
User identifier that revoked the key (if applicable).
Optional list of allowed HTTP origins for this API key. When set, requests must include an Origin header matching one of these values. Supports exact matches (e.g., 'https://docs.example.com') and wildcard subdomains (e.g., 'https://*.example.com'). Only enforced for browser requests (defense-in-depth, not a security boundary). Null means no origin restriction.
[
"https://docs.example.com",
"https://*.example.com"
]End-user identifier for document-level ACL (row-level security). When set, this key is user-scoped: all document reads are automatically filtered to documents the principal owns or has been granted access to. This represents an end-user in your application, NOT an org user.