Authentication
API Key Format
Dua jenis key: kk_live_ (production, real LLM, potong kredit) dan kk_test_ (sandbox, output stub, gratis). Format: kk_live_<32+ random base62 chars>. Kirim via header:
Authorization: Bearer kk_live_YOUR_TOKEN
Atau alternatif: X-Api-Key: kk_live_YOUR_TOKEN.
Scopes (Least-Privilege)
| Scope | Mengizinkan |
|---|---|
| runs:write | Trigger workflow runs |
| runs:read | Read run status/results |
| workflows:read | List/get workflows |
| workflows:write | Create/update/delete workflows |
| reference-documents:read | List/get reference docs |
| reference-documents:write | Upload/delete reference docs |
| documents:write | Upload documents via presigned URL |
| webhooks:read | List/get webhook endpoints |
| webhooks:write | Create/delete webhook endpoints |
| prompt-templates:read | List prompt templates + AI generate |
| usage:read | Read usage/CDR/balance |
Default untuk key baru: runs:write, runs:read. Management scopes opt-in.
Self-Provisioning (/v1/keys)
Buat API key dengan Supabase session JWT (bukan dengan API key lain — circular bootstrap dihindari). Gunakan token dari supabase.auth.getSession().
curl -X POST https://api.platform.kakak.ai/v1/keys \
-H "Authorization: Bearer <supabase_access_token>" \
-H "Content-Type: application/json" \
-d '{"name":"Production server","mode":"production"}'Token hanya ditampilkan sekali. Simpan di environment variable / secrets manager.
Revocation & Rotation
Revoke key via DELETE /v1/keys/:publicId — berlaku instan. Rotation: buat key baru, update aplikasi, revoke key lama.