ARI.Software Docs

ARI.Software Docs

API Keys

Manage API keys for external access to your ARI instance.

Overview

ARI has two types of API keys:

  1. Provider API keys — Keys for external services like OpenAI, Anthropic, etc. These are configured in Settings > Integrations.
  2. ARI API keys — Keys that grant external applications access to your ARI instance's API.

This page covers ARI API keys. For provider API keys, see AI Integrations.

ARI API Key Management

You can create and manage API keys for external access to your ARI instance in Settings > API.

Creating a Key

  1. Go to Settings > API
  2. Click "Create API Key"
  3. Give the key a descriptive name (e.g. "Automation Script", "Mobile App")
  4. Optionally pick an expiry date (see Expiring a Key below)
  5. Copy the key immediately — it will not be shown again

Using a Key

Include the API key in the x-api-key header of your requests:

x-api-key: your-api-key-here

Example:

curl -H "x-api-key: ari_k_your-key-here" https://your-ari-domain/api/openapi.json

Expiring a Key

When you create a key, you can choose how long it should remain valid. After the expiry date passes, ARI will reject any request using that key — same effect as revoking it, but automatic.

Available expiry options:

  • 1 hour — great for one-off scripts or temporary access
  • 7 days — short-term automation or trying out an integration
  • 30 days — typical for ongoing scripts that you can rotate monthly
  • 90 days — a sensible default for production integrations
  • 1 year — longer-lived keys
  • Never — the key stays valid until you revoke it manually

Pick the shortest expiry that still fits your use case. Shorter expiries limit your exposure if a key ever leaks.

You can see when each key expires in the Settings > API table. Once expired, the key shows up as inactive — you can leave it there for the audit trail or delete it.

Revoking a Key

To revoke a key, go to Settings > API, click the trash icon next to the key, and confirm. This is permanent and can't be undone:

  • The key stops working immediately on the next request
  • Any application or script using it will start getting 401 Unauthorized responses
  • Existing requests already in flight will complete, but any new request will fail

Revoke keys you no longer need, and revoke any key you suspect has been exposed (committed to git, shared in a message, used from an unexpected IP, etc.).

Usage Logging

ARI logs API key usage so you can monitor which keys are being used and how often. Review usage periodically and revoke any keys that are no longer needed.

Email (Resend)

Optional. Enables email notifications and other email-based features.

  1. Create an account at resend.com
  2. Generate an API key
  3. Add RESEND_API_KEY to your environment configuration

Security Best Practices

  • Never share your API keys or commit them to version control
  • Use descriptive names so you can identify what each key is for
  • Revoke keys that are no longer in use
  • Use different keys for different applications
  • Rotate keys periodically
  • Monitor usage logs for unexpected activity

Your Personal Workspace. Your Rules.

Open Source. Self-Hosted. Full Data Control. Fully Extendable. AI Native. Dozens of Built-In Modules And Build Your Own In Minutes. No Coding Required.

Download