Xentree Docs
My Xentree
My Xentree
  1. Documentation
  • Documentation
    • Introduction
    • Quickstart
    • Authentication
    • Conversations
    • Knowledge Base
    • Organizations
    • Profile & Analytics
    • Xentree English
    • Xentree Live
    • Skills Connector
    • Integration Tokens
    • API Keys
    • Errors and Limits
  • API Reference
    • Authentication
      • Register a new user
      • Log in and get an access token
      • Refresh an access token
      • Log out the current user
      • Get the current authenticated user
      • Update the current authenticated user
    • Conversations
      • List available AI providers
      • Generate an AI response
      • List conversations for the current user
      • Create a conversation
      • Get messages for a conversation
      • Search indexed user content
    • Knowledge Base
      • Search the knowledge base
    • Organizations
      • List organizations for the current user
      • Create an organization
      • Get organization details
      • Update organization details
      • Delete an organization
      • List organization members
      • Add a member to an organization
      • Update a member's role
      • Comprehensive member update (role, organization, team)
      • Remove a member from an organization
    • Profile & Analytics
      • Get my XP profile
      • Get a user's public profile
      • Get streak status
      • Get weekly XP activity
      • Get learning pulse (365-day heatmap)
      • Get daily quests
      • Get learning time analytics
    • Xentree English
      • List XEL modules with user progress
      • Get XEL module details
      • Submit a learning task response
      • Run AI evaluation for speaking or writing
      • Get the XEL dashboard overview
    • Xentree Live
      • Get remaining Xentree Live quota
      • Start a live session
      • Update an active live session heartbeat
      • End a live session
      • Update the user nickname used in Xentree Live
      • List live transcripts for the current user
      • Save live session transcripts
      • Get a single live transcript
    • Skills Connector
      • List active integrations for the current user
      • Start the Google Calendar OAuth flow
    • Integration Tokens
      • Issue tenant-scoped RS256 integration grant token
      • Verify tenant integration token signature and claims
      • Revoke integration token by token or jti
      • Rotate integration grant and optionally revoke previous token
      • Get tenant active JWKS material for verification
      • Get tenant active integration key fingerprints
      • Admin observability for integration token revocations
    • API Keys
      • List API keys
      • Create an API key
      • Delete an API key
  • Schemas
    • Error
    • TokenResponse
    • UserProfile
    • ChatRequest
    • ChatResponse
    • ConversationCreateRequest
    • ConversationResponse
    • KnowledgeSearchRequest
    • LiveStartSessionRequest
    • LiveSessionResponse
    • LiveQuotaResponse
    • TranscriptTurn
    • SaveLiveTranscriptsRequest
    • OrganizationCreateRequest
    • OrganizationResponse
    • MemberResponse
    • XELModuleSummary
    • XELTaskSubmissionRequest
    • XPProfileResponse
    • PublicXPProfileResponse
    • StreakStatusResponse
    • WeeklyActivityResponse
    • LearningPulseDayEntry
    • LearningPulseResponse
    • QuestItem
    • QuestsResponse
    • LearningTimeAnalyticsResponse
    • APIKeyCreateRequest
    • APIKeyResponse
    • IntegrationGrantRequest
    • IntegrationGrantResponse
    • IntegrationVerifyRequest
    • IntegrationVerifyResponse
    • IntegrationRevokeRequest
    • IntegrationRevokeResponse
    • IntegrationRotateRequest
    • IntegrationRotateResponse
    • IntegrationJWKSResponse
    • IntegrationFingerprintResponse
    • IntegrationTokenRevocationItem
  1. Documentation

API Keys

API keys provide server-to-server access to the Xentree API without requiring user session tokens.
Each key is scoped to an organization, carries a set of permission scopes, and can be optionally restricted to specific IP addresses or CIDR ranges.

Core capabilities#

create scoped API keys tied to an organization
list keys visible to the current user
revoke a key immediately by deleting it
restrict keys to specific IPs or CIDR ranges
set optional expiry dates per key

Key format#

All Xentree API keys use the prefix xntr- followed by 86 URL-safe base64 characters, totalling 91 characters.
xntr-<86 characters>
The full key value is returned only once at creation time and is never stored in plaintext. Copy it immediately and store it securely.

Authentication#

API Key endpoints are bearer-only. Use your user session token to manage keys.

Available scopes#

Grant only the scopes your integration needs. Current available scopes:
ScopeDescription
conversations:readRead conversation history
conversations:writeSend messages and manage conversations
rag:readSearch the knowledge base
rag:writeUpload and index documents
quiz:readRead quiz content and quiz results
quiz:writeSubmit quiz answers and manage quiz attempts
live:readRead quota and transcripts
live:writeManage live sessions and nicknames
organizations:readRead organization and member data
organizations:writeManage organizations and members
integrations:readRead integrations and verify tokens
integrations:writeManage integrations and issue grants
xel:readRead English learning modules and scores
xel:writeSubmit evaluations and track progress
api:readRead generic API metadata and read-level admin API actions
api:writeExecute write-level admin API actions
api:adminFull API administration scope

REST endpoints#

List API keys#

Return all API keys visible to the current user. Non-admins only see keys they created.
GET /api/admin/api-keys

Create an API key#

Issue a new scoped API key tied to one of your organizations.
POST /api/admin/api-keys
Representative request:
{
  "name": "Production LMS Integration",
  "organization_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "permissions": ["conversations:read", "conversations:write"],
  "rate_limit_per_minute": 60,
  "expires_at": null,
  "allowed_ips": ["203.0.113.42", "10.0.0.0/8"]
}

Delete an API key#

Permanently revoke a key. Any integration using it will fail immediately.
DELETE /api/admin/api-keys/{key_id}

IP allowlist#

Set allowed_ips to a list of IPv4/IPv6 addresses or CIDR ranges to restrict where the key can be used. If null or empty, the key is usable from any IP.

Using an API key#

Pass the key in the X-API-Key header for all requests:
Modified at 2026-04-25 11:36:54
Previous
Integration Tokens
Next
Errors and Limits
Built with