Authentication

Every request to jack requires an API key in the Authorization header. Keys are scoped to your organisation — all data access is automatically isolated.

How it works

Include your API key as a Bearer token in every request:

http

Authorization: Bearer jack_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

python

import httpx

client = httpx.Client(
    base_url="https://api.usejack.io",
    headers={"Authorization": "Bearer jack_xxxxxxxx"},
)

# All requests from this client are automatically authenticated
response = client.post("/v1/query", json={"question": "What is our refund policy?"})

javascript

const JACK_KEY = process.env.JACK_API_KEY; // set in your environment

const response = await fetch("https://api.usejack.io/v1/query", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${JACK_KEY}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ question: "What is our refund policy?" }),
});

API key format

All jack API keys start with the prefix jack_ followed by a 48-character random string. The full key is only shown once at creation time.

key format

jack_8f760b495f2ee3a92f6554f517882f583189d4ada07dffea

Your dashboard shows only the key prefix (e.g. jack_8f760b495f2) for identification. If you lose the full key, revoke it and generate a new one.

Managing keys

Create and revoke keys from your dashboard under API Keys, or programmatically via the keys endpoints. See API Keys for the full reference.

Security rules

Never expose keys in client-side code

Always call jack from your backend server. Your API key gives full access to your organisation's data.

Never commit keys to version control

Store keys in environment variables or a secrets manager (AWS Secrets Manager, Doppler, Vault).

One key per environment

Use separate keys for development, staging, and production. Makes rotation easy if one is compromised.

Revoke immediately if compromised

Go to dashboard → API Keys → revoke. The key is invalidated instantly. All subsequent requests with it return 401.

If you suspect a key has been exposed — even briefly — revoke it immediately. There is no “change key” operation. Revoke and generate a new one.

Error responses

A missing or invalid key returns 401 Unauthorized. A revoked key returns 403 Forbidden.

json

// 401 — missing or invalid key
{ "detail": "Invalid authentication credentials" }

// 403 — key has been revoked
{ "detail": "API key has been revoked" }

← PREVIOUSQuickstart NEXT →Metadata & Filtering