rex

/

Documentation
OpenAPIllms.txtGet Started
Edit this page

Authentication

Rex uses API keys for programmatic access and Clerk JWT tokens for the web UI. This page covers API key authentication — the method used by integrations, scripts, and AI agents.

API keys

Every API request must include a key in the X-Api-Key header:

curl https://acme.rexgtm.com/contacts \
  -H "X-Api-Key: rex_live_abc123..."

Key format

API keys use the prefix rex_live_ for production and rex_test_ for sandbox environments. The full key is shown once at creation — store it securely. Only the last 4 characters are visible afterward.

Key scopes

ScopePermissionsUse case
readGET endpoints onlyDashboards, reporting, AI agents that only query
read-writeFull CRUD on all endpointsIntegrations, automations, admin scripts
capture-onlyOnly POST /captureLanding page forms, public lead capture

Choose the narrowest scope that fits your use case. Give AI agents read keys unless they need to modify data.

Managing keys

Create, view, and revoke keys in Settings > API Keys or via the API:

# Create a new key
curl -X POST "$REX_URL/apikeys" \
  -H "X-Api-Key: $REX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Claude Agent", "scope": "read"}'

# List keys (shows last 4 chars only)
curl "$REX_URL/apikeys" \
  -H "X-Api-Key: $REX_API_KEY"

# Revoke a key
curl -X DELETE "$REX_URL/apikeys/key_01HQ..." \
  -H "X-Api-Key: $REX_API_KEY"

Revocation is immediate — the revoked key fails on the next request.

Rate limits

Requests are rate-limited per API key using a token bucket algorithm:

LimitValue
Requests per minute1,000
Burst allowanceShort bursts above the per-minute limit are tolerated

Every response includes rate limit headers:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 994
X-RateLimit-Reset: 1710590460

When you exceed the limit, you receive a 429 Too Many Requests response with a Retry-After header:

{
  "error": {
    "code": "rate_limit_exceeded",
    "message": "Rate limit exceeded. Retry after 12 seconds."
  }
}

Rate limit best practices

  • Check X-RateLimit-Remaining before making burst requests
  • Respect Retry-After headers — don't retry immediately
  • Use exponential backoff for retries
  • Use read scope keys for agents that don't need write access (they share the same limits, but it's a good security practice)

Security best practices

  1. Never commit API keys to source control. Use environment variables or secret managers.
  2. Rotate keys periodically. Create a new key, update your integration, then revoke the old one.
  3. Use the narrowest scope. Read-only agents get read-only keys.
  4. Set expiry dates for temporary integrations or contractor access.
  5. Monitor usage in the audit log (Settings > Audit Log) to detect unexpected activity.

Was this page helpful?

·