Authentication
DocLD uses API keys for programmatic access and session-based authentication for the dashboard. Create and manage keys in the dashboard (see API Keys). See API Reference Overview for base URL and rate limits.
API Key Authentication
Include your API key in the Authorization header:
Authorization: Bearer YOUR_API_KEYCreating API Keys
- Go to Settings → API Keys
- Click “Create API Key”
- Copy the key immediately (shown only once)
- Store securely - treat it like a password
API Key Properties
| Property | Description |
|---|---|
name | Descriptive name for the key |
tier | Access tier: free, standard, premium |
rate_limit_rpm | Requests per minute limit |
rate_limit_rpd | Requests per day limit |
expires_at | Optional expiration date |
organization_id | Associated organization (optional) |
Rotating Keys
Rotate API keys periodically for security: in the dashboard go to Settings → API Keys, select the key, and click Rotate. This generates a new key and invalidates the old one. The new key is shown only once.
Session Authentication
The dashboard uses secure HTTP-only cookies for session authentication via Supabase Auth.
Session authentication is required for:
- Settings and profile management
- Billing operations
- GDPR consent management
- Security-sensitive operations
Organization Context
API keys can be scoped to an organization. When using an org-scoped key:
- All created resources belong to that organization
- Access is limited to organization resources
organization_idparameter is automatically applied
Rate Limiting
Rate limits vary by tier:
| Tier | Requests/Minute | Requests/Day |
|---|---|---|
| Free | 100 | 10,000 |
| Standard | 1,000 | 100,000 |
| Premium | 10,000 | 1,000,000 |
Rate Limit Headers
Responses include rate limit information:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 55
X-RateLimit-Reset: 1705322400Handling Rate Limits
When rate limited, you’ll receive a 429 Too Many Requests response:
{
"error": {
"code": "RATE_LIMITED",
"message": "Rate limit exceeded. Try again in 60 seconds.",
"retry_after": 60
}
}Security Best Practices
- Never expose keys in client-side code or version control
- Use environment variables for key storage
- Rotate keys regularly (every 90 days recommended)
- Use organization-scoped keys for team access
- Set expiration dates for temporary access
- Monitor usage via the dashboard
Error Responses
| Status | Code | Description |
|---|---|---|
| 401 | UNAUTHORIZED | Missing or invalid API key |
| 403 | FORBIDDEN | Key doesn’t have required permissions |
| 429 | RATE_LIMITED | Rate limit exceeded |