Skip to main content
Ontora supports two authentication methods: For programmatic access, always use a workspace API key.
For interview campaign transcripts, responses, insights, and reports, create a workspace API key with the interviews and exports scopes. Vault retrieval keys are separate advanced keys that only work with POST /v1/retrieval and POST /v1/retrieval/answer for one selected context vault.

Creating a key

API keys are scoped to a single workspace. Only workspace admins can create or revoke them.
The full key is only returned once, on creation. Store it in a secret manager immediately. Subsequent GET /v1/api-keys calls return only the key_prefix.
You can also create keys from the dashboard: Settings → API keys → Create.

Scopes

Scopes restrict what an API key can do. Pick the minimum set required. Endpoints declare the scope they require. A key without that scope receives 403 Forbidden.

Revoking a key

Revocation is immediate.
Listing keys never reveals the secret — only the prefix and metadata:

Rotating keys

Best practice: keep two keys live during a rotation, swap consumers over to the new key, then revoke the old.
  1. Create a new key with the same scopes.
  2. Update consumers (CI secrets, CLI config, MCP clients).
  3. Revoke the old key once traffic has shifted.

Errors