API Keys & Rate Limits
aqoon uses API keys to authenticate programmatic access to the search API, MCP server, and other developer endpoints. Keys are prefixed with aqn_ followed by 40 random characters, and are stored server-side as SHA-256 hashes — the plaintext is only shown once at creation time.
To create and manage your keys from the UI, see the User Guide.
Key Types
There are two key types with different access scopes:
| Type | Access Scope | Typical Use |
|---|---|---|
| Full-access | All collections owned by or subscribed to the key owner | Personal MCP integration, automation scripts, internal tooling |
| Scoped | Only collections explicitly granted to the key | Sharing search access with third-party developers or applications |
Scoped keys are the safer default when distributing access. Grant access to specific collections via the key management UI or the /api/v1/keys/{uuid}/collections/ endpoint.
Permission Levels
Each collection access grant on a scoped key carries a permission level that controls what the key holder can do with that collection:
| Permission | Allowed Operations |
|---|---|
read |
Search and retrieve documents from the collection |
write |
Search, retrieve, and upload new documents to the collection |
The default permission for a new grant is read. Pass "permission": "write" when granting access if the key holder needs to upload documents.
Full-access keys have implicit write permission on all collections owned by the key owner — no grant is required.
Grant / Revoke Collection Access
Use the /api/v1/keys/{uuid}/collections/ endpoint to manage which collections a scoped key can reach, and at what permission level.
Grant access
POST /api/v1/keys/{uuid}/collections/
Authorization: Bearer aqn_your_api_key
Content-Type: application/json
{
"collection_id": "collection-uuid",
"permission": "write"
}
Omit permission (or pass "read") to grant read-only access. Pass "write" to allow document uploads as well.
Revoke access
DELETE /api/v1/keys/{uuid}/collections/{collection_id}/
Authorization: Bearer aqn_your_api_key
Key rotation (generating a new secret for an existing key record) preserves all collection grants and their permission levels. The new secret is a drop-in replacement — no re-granting is required.
Write permission is required to use the document upload API (POST /api/v1/collections/{id}/documents/). Requests from a key with only read access will be rejected with HTTP 403.
Key Expiration
Keys can be created with an expiration date (30 days, 90 days, 6 months, or 1 year) or set to never expire. You can change the expiration at any time from the key detail page.
Expired keys are automatically rejected with a 401 error. To renew a key, set a new expiration from the key detail page. No new key needs to be created.
Search Endpoint
The developer search endpoint accepts a Bearer token and returns ranked result chunks from all collections accessible to the key:
POST /api/v1/search/
Authorization: Bearer aqn_your_api_key
Content-Type: application/json
{
"query": "your search query",
"limit": 5,
"collection_id": "optional-uuid-to-scope-to-one-collection"
}
Example with cURL:
curl -X POST https://your-instance/api/v1/search/ \
-H "Authorization: Bearer aqn_your_api_key" \
-H "Content-Type: application/json" \
-d '{"query": "retrieval augmented generation", "limit": 10}'
See the API Reference for full request/response schemas, filtering options, and error codes. Use the Search Playground to test interactively.
Rate Limiting
Each API key is assigned a rate tier that controls how many requests can be made across three windows:
| Tier | Per Minute | Per Day | Per Month |
|---|---|---|---|
| Free (default) | 10 | 1,000 | 10,000 |
| Basic | 60 | 10,000 | 100,000 |
| Pro | 300 | 100,000 | 1,000,000 |
Rate tiers are managed by your account administrator. Limits are enforced per account — all API keys owned by the same user share a single set of counters. Every API response includes the following headers so your application can track limits programmatically:
| Header | Description |
|---|---|
X-RateLimit-Limit |
Maximum requests allowed in the current window |
X-RateLimit-Remaining |
Requests remaining in the current window |
Retry-After |
Seconds to wait before retrying (only present on 429 responses) |
When a limit is exceeded, the API returns HTTP 429 Too Many Requests. Your client should respect Retry-After and implement exponential backoff for resilience.
Usage Dashboard
The usage dashboard is available in the app sidebar under API Usage. It provides:
- Summary metrics — Total requests, error count, and average response time for the selected period
- Daily volume chart — Requests and errors plotted over 7, 30, or 90 days
- Per-key breakdown — Request counts and error rates per API key
- Recent request log — Query text, result count, response time, and HTTP status for individual requests
Webhook Notifications
Configure a webhook URL to receive notifications when documents finish processing. Instead of polling for status, aqoon will POST a signed JSON payload to your URL when a document is indexed or failed.
- One webhook per organization — set via
POST /api/v1/webhooks/ - HMAC-SHA256 signed — verify authenticity using the secret returned at creation
- Automatic retries — exponential backoff on server errors (max 5 retries)
- Test endpoint — send a test event via
POST /api/v1/webhooks/test/
See the API Reference — Webhooks for full payload format, signature verification, and examples.
Billing & Pricing
API query volume is metered against your monthly plan quota. Three plans are available:
| Plan | Price | Included Queries/Month | Overage Rate |
|---|---|---|---|
| Free | $0/mo | 1,000 | — |
| Starter | $29/mo | 10,000 | $0.002 per query |
| Pro | $99/mo | 100,000 | $0.001 per query |
Billing is managed via Stripe. Invoices are generated automatically at the end of each billing cycle based on actual usage data. Overage charges are only applied when you exceed the included quota for your plan.