API Keys
FreshSource: docs.hindsight.vectorize.io/api-keys
Overview
API Keys authenticate applications with the Hindsight API. Keys start with the prefix hsk_.
Creating an API Key
Permission: Only Owners and Admins can create keys.
- Click Create API Key
- Enter a descriptive name
- Choose expiration: Never, 1 hour, 1 day, 7 days, 30 days, 90 days, 1 year, or Custom
- Optionally restrict to specific banks
- Click Create
WARNING
Your API key is only shown once after creation. Copy it immediately and store it securely.
Bank-Scoped Keys
Restrict keys to specific memory banks. Unauthorized access returns 403 Forbidden.
| Scenario | Recommended Scope |
|---|---|
| Production service using one bank | Restrict to that bank |
| CI/CD pipeline | Restrict to staging/test banks |
| Admin tooling | Unrestricted (all banks) |
| Per-agent MCP connections | Restrict to agent's bank |
Programmatic Key Creation
Keys with create_scoped_keys capability can programmatically create child keys:
bash
curl -X POST https://api.hindsight.vectorize.io/v1/api-keys/scoped \
-H "Authorization: Bearer <parent-key>" \
-H "Content-Type: application/json" \
-d '{
"name": "Agent - Task 42",
"allowed_bank_ids": ["bank-a"],
"expires_in_days": 7,
"metadata": {"agent_id": "task-42"}
}'Constraints:
allowed_bank_idsrequired, must be subset of parent scopeexpires_in_daysrequired, max 365, cannot exceed parent- Child keys never receive
create_scoped_keyscapability - Child keys are immutable (revoke and recreate to change)
- Revoking parent cascades to all children
Revoking Keys
- Find the key in the list
- Click the Delete (trash) icon
- Confirm revocation
DANGER
Revoked keys cannot be recovered. Applications using the key will immediately lose access.
Best Practices
- Naming: Include application, environment, and purpose (e.g., "Production API Server")
- Rotation: 90 days for production, 30 days for CI/CD, 7 days for dev
- Security: Never commit keys to version control. Use environment variables.
- Monitoring: Check "Last Used" timestamps to detect unauthorized access
- Least privilege: Restrict keys to needed banks only