Skip to main content

Overview

RegPilot uses API keys to authenticate requests. Your API keys carry many privileges, so be sure to keep them secure and never share them publicly.
Security First: Never expose your API keys in client-side code, GitHub repositories, or public forums. Always use environment variables and server-side code for API requests.

API Key Types

RegPilot offers different types of API keys for different use cases:

Gateway Keys

Purpose: AI Gateway API requests (/api/ai/*)Prefix: sk_Permissions: Chat completions, AI model access, Governor validation

Project Keys

Purpose: Compliance management APIsPrefix: pk_Permissions: Violations, models registry, compliance data

Creating API Keys

1

Navigate to AI Gateway

Go to your project dashboard and select AI Gateway → Overview
2

Click Manage Keys

Click the “Manage Keys” button to open the API keys panel
3

Create New Key

Click “Create New Key”, give it a descriptive name, and save it immediately
API keys are only shown once at creation. If you lose a key, you’ll need to generate a new one.
4

Copy and Store Securely

Copy the key to your password manager or environment variables
# Example: .env.local
REGPILOT_API_KEY=sk_1a2b3c4d5e6f7g8h9i0j...

Authentication Methods

The preferred method for authenticating API requests: 
curl -X POST https://regpilot.dev/api/ai/chat \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"messages": [{"role": "user", "content": "Hello"}]}'

const response = await fetch('https://regpilot.dev/api/ai/chat', {
  method: 'POST',
  headers: {
    'X-API-Key': process.env.REGPILOT_API_KEY!,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    messages: [{ role: 'user', content: 'Hello' }],
  }),
});

Method 2: Authorization Bearer Token

Alternative authentication using the Authorization header: 
curl -X POST https://regpilot.dev/api/ai/chat \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type": application/json" \
  -d '{"messages": [{"role": "user", "content": "Hello"}]}'

Method 3: SDK Authentication

When using the official RegPilot SDK, authentication is handled automatically: 
import { RegPilot } from '@regpilot/sdk';

const client = new RegPilot({
  apiKey: process.env.REGPILOT_API_KEY,
});

// Authentication handled automatically
const response = await client.chat.create({
  messages: [{ role: 'user', content: 'Hello' }],
});

Environment-Specific Keys

Use different API keys for different environments:
  • Development
  • Staging
  • Production
.env.development
REGPILOT_API_KEY=sk_dev_1a2b3c4d...
REGPILOT_ENVIRONMENT=development
Development keys have:
  • Lower rate limits
  • Verbose logging enabled
  • Test mode activated

Security Best Practices

Never hardcode API keys in your source code:
// ❌ Bad - Hardcoded API key
const apiKey = 'sk_1a2b3c4d5e6f7g8h';

// ✅ Good - Environment variable
const apiKey = process.env.REGPILOT_API_KEY;
Only use API keys in server-side code, never in client-side JavaScript:
// ❌ Bad - Client-side API call
// components/Chat.tsx
const response = await fetch('/api/ai/chat', {
  headers: { 'X-API-Key': apiKey }
});

// ✅ Good - Server-side API route
// app/api/chat/route.ts
export async function POST(req: Request) {
  const response = await fetch('https://regpilot.dev/api/ai/chat', {
    headers: { 'X-API-Key': process.env.REGPILOT_API_KEY! }
  });
}
Rotate your API keys periodically:
  1. Create a new API key
  2. Update your environment variables
  3. Deploy the changes
  4. Delete the old key after verification
Create separate API keys for different services:
  • Frontend API route: Gateway key for chat
  • Backend service: Project key for compliance data
  • CI/CD pipeline: Read-only key for testing
Regularly review API key usage in your dashboard:
  • Check for unusual activity
  • Monitor request patterns
  • Review error rates
  • Verify geographic locations

Managing API Keys

Viewing API Keys

View all your API keys in AI Gateway → Overview → Manage Keys:
  • Name: Descriptive key name
  • Key Prefix: First/last characters for identification
  • Created: When the key was created
  • Last Used: Most recent usage timestamp
  • Status: Active or inactive

Deactivating Keys

Temporarily disable a key without deleting it:
  1. Go to AI Gateway → Overview → Manage Keys
  2. Find the key you want to deactivate
  3. Click the “Deactivate” button
  4. Confirm the action
Deactivated keys will return 401 Unauthorized errors until reactivated.

Deleting Keys

Permanently remove an API key:
  1. Go to AI Gateway → Overview → Manage Keys
  2. Find the key you want to delete
  3. Click the “Delete” button
  4. Confirm the action
Deleted keys cannot be recovered. Make sure you’ve updated all services using the key before deleting it.

Testing Authentication

Verify your API key is working correctly: 
# Test authentication
curl https://regpilot.dev/api/health \
  -H "X-API-Key: YOUR_API_KEY"

# Expected response
{
  "status": "ok",
  "authenticated": true,
  "project_id": "your-project-id"
}

Error Responses

Common authentication errors and how to resolve them:
Status CodeErrorSolution
401Missing API keyInclude X-API-Key header in your request
401Invalid or inactive API keyCheck that your API key is correct and active
403API key lacks required permissionsUse a key with appropriate permissions
429Rate limit exceededWait before retrying or upgrade your plan

Rate Limits

API key rate limits depend on your plan:
  • Free Tier
  • Pro Plan
  • Enterprise
  • Requests: 1,000 per day
  • Burst: 10 requests per second
  • Governor: Not available
Rate limits are tracked per API key. Distribute load across multiple keys if needed.

Next Steps

Make Your First Request

Test your authentication setup

API Reference

Explore available endpoints

Security Best Practices

Learn advanced security patterns

SDK Documentation

Use official SDKs