Skryx authenticates every request with a single header:
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxx
There is no separate user/password, no signed-request scheme — just the key.
# Key scopes
Keys are scoped to limit blast-radius. Pick the smallest scope that does the job:
| Scope | What it can do | Where you typically use it |
|---|---|---|
search |
Run search + autocomplete on any index. Cannot read or write documents, settings or keys. | Front-end / mobile clients. Safe to embed. |
index:write |
Everything search does, plus add/update/delete documents and trigger data-source syncs. |
Back-office sync jobs, ingest pipelines. |
index:admin |
Everything above, plus create/delete indexes, manage synonyms, ranking rules, data sources. | Trusted server processes; key-rotation tooling. |
Within an index, search-scoped keys also accept a query_by allowlist — you
can issue a key that searches products only, by title and brand only.
# Creating and rotating keys
In the dashboard at app.skryx.io/api-keys:
- Click Create key.
- Choose a scope (search / write / admin).
- Give it a name — you'll thank yourself in six months when you need to identify which service uses which key.
- Copy the plaintext key that's displayed once and never again. Skryx stores only a one-way hash; we cannot recover the value for you.
Rotating is the same flow: create a new key, deploy it, then revoke the old one.
# Where to put the key
Server-side requests — put the key in an environment variable and read it from there.
export SKRYX_API_KEY=sk_live_xxxxxxxxxxxxxxxxxxxx
Client-side requests (browser, mobile) — use a search-scoped key only. That key can search, but cannot mutate anything. It's intentionally safe to ship in JavaScript.
<script>
const SKRYX_KEY = 'sk_live_search_xxxxx';
fetch('https://api.skryx.io/v1/indexes/products/query', {
headers: { 'Authorization': 'Bearer ' + SKRYX_KEY, 'Content-Type': 'application/json' },
method: 'POST',
body: JSON.stringify({ q: 'macbook', query_by: 'title' }),
});
</script>
CORS is enabled for /v1/* so the browser request above works from any origin.
# What happens on failure
If your key is missing, malformed, revoked, or trying to use a scope it doesn't have, the API returns HTTP 401 with a structured error body:
{ "error": "unauthorized", "message": "API key missing or invalid." }
A scope mismatch returns 403:
{ "error": "forbidden", "message": "This key cannot manage indexes." }
See error codes for the full list.
# What's next
- Quickstart — sign up and run your first search.
- Rate limits — per-plan request limits and how they're enforced.