Skip to main content
Operations: authentication with API keys and namespaces, document ACL for row-level security, webhooks for event subscriptions, manifests for config-as-code

Authentication

Every request requires a Bearer token and namespace header:
API keys are scoped to an organization. Namespaces provide the authorization boundary — use separate namespaces for dev, staging, and production. See API Keys to create scoped keys, set permissions, rotate and revoke them, and monitor per-key usage.

Secrets & LLM Keys

Store third-party API keys in an encrypted secrets vault. Secrets are encrypted at rest using Fernet symmetric encryption and are never exposed in API responses.

Manage Secrets

Bring Your Own Key (BYOK)

Use your own LLM API keys instead of Mixpeek’s default keys for cost control, higher rate limits, compliance, and independent key rotation. Supported providers: OpenAI, Anthropic, Google

Apply a Key to All LLM Operations

Set a key as the organization-wide default and it automatically applies to every LLM operation — extractors, retrievers, clustering, taxonomy inference, and manifest generation — with no per-stage configuration.
1

Store your key in the secrets vault

2

Set it as the org-wide default for that provider

Configure defaults for multiple providers at once:
In Studio, toggle “Use as default LLM key” when creating a secret to automatically apply it org-wide for the detected provider.

Override a Key on a Specific Stage

Set api_key directly on a retriever stage, extractor, or cluster config using {{secrets.name}} template syntax to override the org-wide default for that operation only:

Credential Resolution Order

  1. Per-resource api_key / {{secrets.name}} — explicit key on a specific stage or extractor
  2. Organization default — set once via default_llm_credentials, applied everywhere
  3. Mixpeek platform keys — used when no custom key is configured (usage charged to your Mixpeek account)
Values in default_llm_credentials are secret names, not raw API keys. Keys are encrypted at rest, never returned in API responses, decrypted on-demand per LLM call, and isolated per organization with no cross-tenant leakage.

Document Access Control

Apply row-level security to documents with ACL rules. Filter results by user roles or attributes at query time without changing retriever logic. User-scoped keys (usr_sk_) transparently filter every read so each end-user sees only their documents — no app-side filtering. For the full model (the _acl object, key types, public documents, sharing), see Document-Level ACL. For external policy engines, see Permissions (OpenFGA). Broader auth/tenancy: Security & Tenancy.

Webhooks

Subscribe to events like batch.completed, document.created, or alert.triggered:
Webhook API → · Full webhooks guide →

Manifests

Declare your entire namespace configuration as code — buckets, collections, retrievers, taxonomies — and apply it in one request:
Use POST /v1/manifest/diff to preview changes before applying. Manifest API →

Lineage & Audit Traces

Every document links back to its source, and every retriever execution produces an auditable trace.

Document Lineage

Track how a document was created — which object it came from, which collection processed it, and what features were extracted:
Returns the full decomposition tree: source object → batch → extracted documents. Use this to trace any search result back to the original file.
Lineage API →

Retriever Execution Traces

Every retriever execution captures a full trace — which stages ran, what scores were produced, which documents were dropped and why:
A trace includes:
  • Which retriever version and config were used
  • Each stage’s input parameters, output set, scores, and latency
  • Which feature URIs and collections were consulted
  • Which filters matched and which documents were eliminated
  • The final result set with per-document provenance
Traces are replayable — if a model version or taxonomy changes, you can compare results against historical executions. Execution API → · Explain API →

Environment Branching

Clone namespaces to create isolated environments for testing:
Branched namespaces share no state with the source — safe for experimentation. Clone API →