Authentication

You will need to authenticate your requests to access any of the endpoints in the Slateo API. In this guide, we will look at how authentication works. Slateo offers two ways to authenticate your API requests: Clerk session authentication for web applications and API key authentication for programmatic access.

API key authentication

API keys provide secure programmatic access to the Slateo API. Each API key is associated with a specific user and inherits that user's permissions within the organization.

Generating API keys

API keys can be generated from your organization settings in the Slateo dashboard:

Navigate to Organization Settings → API Keys
Click Create API Key
Provide a descriptive name for the key
Copy the generated key immediately - it will not be shown again

API key format

Slateo API keys follow a structured format:

sk_live_R7NQLmbcFP3X9keTzA5H2vBj4mK8pL2nW6xQ3sT9
└──┬──┘ └───────────────────┬──────────────────┘
 prefix                   secret

Prefix: sk_live_ for production keys
Secret: High-entropy random string for secure authentication

Using API keys

Include your API key in the Authorization header as a Bearer token:

Example request with API key

curl https://api.slateo.ai/api/queries \
  -H "Authorization: Bearer sk_live_R7NQLmbcFP3X9keTzA5H2vBj..."

Best practices

Keep keys secure: Never commit API keys to version control
Use environment variables: Store keys in .env files or secure vaults
Rotate regularly: Generate new keys periodically and revoke old ones
Monitor usage: Check the "Last Used" timestamp to detect anomalies
Limit scope: Create separate keys for different applications or environments

Clerk session authentication

For web applications using the Slateo dashboard, authentication is handled automatically through Clerk sessions. This is transparent to users who are logged in through the web interface.

Security considerations

API key storage

Keys are stored using SHA256 hashing - only the hash is saved
The full key is shown only once during creation
Keys can be revoked immediately if compromised

Audit logging

All API key usage is logged with:

IP address of the request
User agent information
Timestamp of access
Action performed

Rate limiting

API requests are subject to rate limiting to prevent abuse. Current limits:

1000 requests per hour per API key
100 concurrent requests per organization

Making authenticated requests

When making requests to the Slateo API, always include your API key in the Authorization header:

JavaScript

const response = await fetch('https://api.slateo.ai/api/queries', {
  headers: {
    'Authorization': 'Bearer ' + process.env.SLATEO_API_KEY,
    'Content-Type': 'application/json'
  }
});

Python

import requests
import os

response = requests.get(
    'https://api.slateo.ai/api/queries',
    headers={
        'Authorization': 'Bearer ' + os.environ['SLATEO_API_KEY'],
        'Content-Type': 'application/json'
    }
)

cURL

curl https://api.slateo.ai/api/queries \
  -H "Authorization: Bearer $SLATEO_API_KEY" \
  -H "Content-Type: application/json"

FAQ

Can I regenerate an API key if it's compromised?

Yes, you can revoke a compromised key immediately from the Organization Settings → API Keys page and generate a new one. The old key will stop working immediately after revocation.

Do API keys expire?

API keys do not automatically expire. However, we recommend rotating them periodically as a security best practice. You can monitor the "Last Used" timestamp to detect anomalies.

Can I use the same API key for multiple applications?

While technically possible, we recommend creating separate API keys for different applications or environments. This makes it easier to track usage and revoke access if needed.

What happens if I exceed the rate limit?

If you exceed the rate limit, you'll receive a 429 status code. Your application should implement exponential backoff and retry logic to handle rate limiting gracefully.