API Keys

What are API Keys?

API keys authenticate requests to your Granite endpoints. Without a valid key, requests are rejected.

Creating an API Key

Go to API Management

Navigate to API Management in the sidebar

Click Create Key

In the API Keys section, click + Create Key

Name Your Key

Give it a descriptive name:

“Production Backend”
“CI/CD Pipeline”
“Partner Integration”

Copy Immediately

Important: Copy the key now. It’s only shown once!

gk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Store your API key securely. If you lose it, you’ll need to create a new one.

Using API Keys

Include the key in the X-Granite-API-Key header:

cURL
JavaScript
Python

curl -X POST "https://api.getgranite.ai/api/your-org/endpoint" \
  -H "X-Granite-API-Key: gk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"param": "value"}'

const response = await fetch(
  'https://api.getgranite.ai/api/your-org/endpoint',
  {
    method: 'POST',
    headers: {
      'X-Granite-API-Key': 'gk_live_abc123...',
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({ param: 'value' }),
  }
);

import requests

response = requests.post(
    'https://api.getgranite.ai/api/your-org/endpoint',
    headers={
        'X-Granite-API-Key': 'gk_live_abc123...',
        'Content-Type': 'application/json',
    },
    json={'param': 'value'}
)

Managing Keys

View Keys

In API Management, you see:

Key name
Creation date
Last used date
Partial key (last 4 characters)

Revoke Keys

To revoke a compromised or unused key:

Find the key in the list
Click the trash icon
Confirm revocation

Revocation is immediate. Any systems using the key will fail.

Best Practices

Use separate keys for different purposes

Create distinct keys for:

Production
Staging
CI/CD
Each partner integration

If one is compromised, only revoke that one.

Rotate keys periodically

Every 90 days:

Create a new key
Update your systems
Revoke the old key

Never commit keys to git

Use environment variables or secret managers:

export GRANITE_API_KEY="gk_live_abc123..."

Monitor usage

Check Analytics for unexpected patterns that might indicate a leak.

Error Responses

Status	Meaning
`401`	Missing or invalid API key
`403`	Key valid but lacks permission

Example error:

{
  "error": "unauthorized",
  "message": "Invalid or missing API key",
  "code": 401
}

Security

API keys are:

Encrypted at rest
Hashed for storage (we don’t store the plaintext)
Scoped to your organization
Logged on every use

SDK Usage

Using the TypeScript SDK:

import { client } from '@getgraniteai/ts-sdk';

client.setConfig({
  baseUrl: 'https://api.getgranite.ai',
  headers: {
    'X-Granite-API-Key': process.env.GRANITE_API_KEY,
  },
});

Get Started

Getting Started

Dashboard

Authentication

Agent Execution

RPA Automation

Public API

VM Management

Driver

Troubleshooting

What are API Keys?

Creating an API Key

Using API Keys

Managing Keys

View Keys

Revoke Keys

Best Practices

Error Responses

Security

SDK Usage

Next Steps

Create Endpoints

Invoke Automations

Get Started

Getting Started

Dashboard

Authentication

Agent Execution

RPA Automation

Public API

VM Management

Driver

Troubleshooting

​What are API Keys?

​Creating an API Key

​Using API Keys

​Managing Keys

​View Keys

​Revoke Keys

​Best Practices

​Error Responses

​Security

​SDK Usage

​Next Steps

Create Endpoints

Invoke Automations

What are API Keys?

Creating an API Key

Using API Keys

Managing Keys

View Keys

Revoke Keys

Best Practices

Error Responses

Security

SDK Usage

Next Steps