API Keys

Rela AI doesn't exist in isolation — in most organizations it needs to integrate with other systems: ERPs, SCADA systems, asset management platforms, or custom reporting tools. API Keys enable that integration securely and in a controlled manner, granting programmatic access to the Rela AI API without sharing user credentials.

Each key is unique to the tenant, has a descriptive name indicating which system it was created for, and can be revoked at any time without affecting any user's credentials. If a key is compromised or no longer needed, it's deleted with no impact on the rest of the system.

The security model is designed for the industrial environment: granular access, usage traceability, and control without depending on specific users being available to authenticate integrations.

What is it for?

• Integrate third-party systems with the Rela AI API securely
• Create programmatic access that doesn't depend on specific users
• Revoke access from obsolete or compromised integrations without affecting users
• Maintain traceability of which system performed each API operation
• Separate human access credentials from machine access credentials
• Comply with security policies that prohibit sharing user passwords

How does it work?

API Keys work as long-lived authentication tokens that are included in each request to the Rela AI API. The flow is simple:

Generation: The administrator creates a new key from the dashboard, assigning it a descriptive name (for example, "SAP Integration" or "Reporting Script"). The system generates a unique token and displays it once — for security, it's not possible to retrieve the token value after closing that screen.

Usage: The third-party system includes the key in the Authorization header of each HTTP request to the Rela AI API: Authorization: Bearer <key>. The API validates the key and executes the operation with the tenant's permissions.

Management: From the dashboard, the administrator can see all active keys with their name and creation date. Keys don't show the full token value (only the last 4 characters for identification), which prevents accidental exposure.

Revocation: When an integration is no longer needed or a key is compromised, the administrator can revoke it immediately. Requests with that key are rejected instantly without affecting other keys or users.

Scope: API keys have the same permission scope as the tenant — they can read and write to the endpoints available to the organization. There is currently no granular permissions model per key.

Using the Dashboard

To manage API Keys, navigate to Administration > API Keys in the side menu.

Generate a new key:

1. Click "New API Key."
2. Enter a descriptive name that identifies what system or purpose the key is for.
3. Click "Generate."
4. Copy the generated token immediately — this is the only time the system shows the full value. Store it in a secure secrets manager (such as AWS Secrets Manager, HashiCorp Vault, or your platform's secrets store).

List active keys: The table shows all keys with name, creation date, and the last 4 characters of the token for identification. It does not show the full token.

Revoke a key: Click the delete icon next to the key you want to revoke. Confirm the action. The key becomes invalid immediately.

Security best practices:

• Create a separate key for each system you integrate, not a single shared key.
• Rotate keys periodically by generating a new one before deleting the previous one.
• Never include the key directly in source code — use environment variables or secrets managers.
• Immediately revoke any key that has been accidentally exposed.