Authentication

Every API request to urelay requires two HTTP headers for authentication.

Headers

Header	Format	Example
`X-API-Key`	`ur_live_...`	`ur_live_k2x9f8a3b7c1d4e5`
`X-API-Secret`	`ur_secret_...`	`ur_secret_m6n7o8p9q0r1s2t3`

Both headers must be present on every request. If either is missing or invalid, the API returns a 401 Unauthorized error.

Creating API keys

Via the dashboard

Go to app.urelay.ai and navigate to API > Keys
Click Create Key and optionally provide a name
Copy the key and secret from the response

Via the API

curl -X POST https://app.urelay.ai/api/v1/keys \
  -H "Content-Type: application/json" \
  -H "X-API-Key: ur_live_EXISTING_KEY" \
  -H "X-API-Secret: ur_secret_EXISTING_SECRET" \
  -d '{"name": "Production"}'

Key rotation

To rotate credentials without downtime:

Create a new API key
Update your application to use the new credentials
Verify the new key works
Revoke the old key

# Revoke old key
curl -X DELETE https://app.urelay.ai/api/v1/keys/OLD_KEY_ID \
  -H "X-API-Key: ur_live_NEW_KEY" \
  -H "X-API-Secret: ur_secret_NEW_SECRET"

Security best practices

Store secrets in environment variables, never in source code
Use separate keys for development and production
Rotate keys periodically (recommended: every 90 days)
Revoke keys immediately if compromised
Monitor last_used_at on your keys to detect unauthorized use

Error responses

If authentication fails, the API returns:

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API credentials"
  }
}

Common causes:

Missing X-API-Key or X-API-Secret header
Incorrect key or secret value
Key has been revoked

Headers​

Creating API keys​

Via the dashboard​

Via the API​

Key rotation​

Security best practices​

Error responses​