For programmatic access, always use a workspace API key.
For interview campaign transcripts, responses, insights, and reports, create a workspace API key with the
interviews and exports scopes. Vault retrieval keys are separate advanced keys that only work with
POST /v1/retrieval and POST /v1/retrieval/answer for one selected context vault.Creating a key
API keys are scoped to a single workspace. Only workspace admins can create or revoke them.Scopes
Scopes restrict what an API key can do. Pick the minimum set required.
Endpoints declare the scope they require. A key without that scope receives
403 Forbidden.
Revoking a key
Revocation is immediate.Rotating keys
Best practice: keep two keys live during a rotation, swap consumers over to the new key, then revoke the old.- Create a new key with the same scopes.
- Update consumers (CI secrets, CLI config, MCP clients).
- Revoke the old key once traffic has shifted.