Authentication
Every request authenticates with an API key sent in the X-API-Key
header. Keys are scoped to a single organization and to a set of
permissions.
X-API-Key: sk_live_K2J9...Obtaining a key
- Sign in at oligontech.com/portal (opens in a new tab).
- Pick your organization (or create one).
- API keys → Create key. Name it after the workload (
prod-extractor,local-dev-gustavo, etc.). - Pick scopes — most workloads only need
read+write. - Copy the secret. We display it once. Lose it, rotate it.
Treat secrets like passwords. Never commit them, never log them, never ship them to clients. Use environment variables in production and a secrets manager for staging.
Key prefixes
| Prefix | Mode | Use for |
|---|---|---|
sk_test_… | Sandbox | Local dev, CI, demos. No usage billed. |
sk_live_… | Production | Real workloads. Billed per the active plan. |
pk_publishable_… | Browser-safe | Upload-only, never returns sensitive fields. |
Scopes
| Scope | What it allows |
|---|---|
read | GET on /v1/receipts, /v1/webhooks/events, /v1/org, /v1/team |
write | POST /v1/extract, PATCH/DELETE on owned resources |
admin | Member invites, API key creation/revocation, billing |
Scopes are additive: an admin key already covers read + write.
Setting the key in code
export OLIGON_API_KEY=sk_live_...All three SDKs read this automatically.
Rotating keys
The dashboard supports zero-downtime rotation: create the new key, deploy it, then revoke the old one. Revoking takes effect within 60 seconds globally.
Suspicious activity
We monitor for usage anomalies (sudden 100× spike from a new region,
brute-forcing scopes, etc.) and will email all admin members before
auto-revoking. You can also call
/v1/api-keys/:id/revoke yourself.