Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bigspin.ai/llms.txt

Use this file to discover all available pages before exploring further.

API keys are the credentials your code uses to make authenticated requests to Bigspin’s public API — including the Projects and Transcripts endpoints. Each key is scoped to your organization’s workspace, so any API calls made with a key operate within your organization’s data and configuration. Bigspin displays the full key only once — at creation time — so treat generation as a deliberate step and have a secure place ready to store the value before you begin. In the dashboard sidebar, scroll to the organization section and click API Keys (identified by the key icon). The page lists all keys created for your workspace along with their name, a masked prefix, status, creation date, creator, and the last time each key was used.

Create an API Key

1

Open the creation dialog

Click Create API Key in the top-right corner of the API Keys page.
2

Name your key

Enter a descriptive name (minimum 3 characters). A good name identifies both the integration and environment, for example production-transcript-upload or staging-projects-read.
3

Add an optional description

Use the description field to note what this key is used for, which service consumes it, or who owns it. This makes future audits much easier.
4

Copy the key immediately

After clicking Create API Key, Bigspin displays the full key value once. Copy it now — you will not be able to retrieve it again. Click Done when you have saved the key securely.
Bigspin shows your API key only once, immediately after creation. If you close the dialog without copying the key, you must delete it and generate a new one. Never share your API key in chat, email, or version control.

Use an API Key

Pass your key as a Bearer token in the Authorization header of every API request: 
curl https://app.bigspin.ai/public/api/v1/your-endpoint \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Security Best Practices

Use environment variables

Store your API key in an environment variable (for example, BIGSPIN_API_KEY) and reference it in code. Never hard-code a key directly in source files.

One key per integration

Create a separate, named key for each application or environment. This lets you revoke a single compromised key without affecting other integrations.

Rotate compromised keys immediately

If a key is exposed, revoke or delete it right away and generate a replacement. Update all services using the old key before they encounter an auth failure.

Audit usage regularly

Check the Last Used column on the API Keys page to spot keys that are no longer active. Delete unused keys to reduce your attack surface.
Add API keys to your .gitignore and secret-scanning rules. Many teams also use a secrets manager (such as AWS Secrets Manager, HashiCorp Vault, or Doppler) to inject keys at runtime rather than storing them in environment files that could be checked in accidentally.

Manage Existing Keys

Each key in the table has an actions menu (the three-dot icon on the right) with the following options:
ActionWhat it does
RevokeDisables the key immediately. Any requests using this key will fail. Revocation can be undone — use Reactivate from the same menu.
ReactivateRe-enables a previously revoked key.
Delete PermanentlyRemoves the key from the system entirely. This cannot be undone.

If a Key Is Compromised

1

Revoke or delete the key

Open the actions menu next to the exposed key and choose Revoke (reversible) or Delete Permanently (irreversible). This immediately blocks all requests using that credential.
2

Generate a replacement

Create a new key following the steps above. Give it a clear name that distinguishes it from the compromised key.
3

Update your services

Replace the old key value in every environment variable, secrets manager, or configuration file that referenced it. Redeploy or restart the affected services.
4

Review audit logs

Check the Last Used timestamp on your remaining keys and review any unusual activity in your projects to confirm no further unauthorized access occurred.