Skip to main content
Suiri is designed with a secure-by-default model that balances ease of use for developers with the controls required for production environments.

API Keys

All access to the Suiri API is authenticated using API keys.
  • API keys are generated in the Suiri dashboard
  • Each key is a unique, secret credential
  • API keys must be included in every request using the Authorization: Bearer header
Example: Authorization: Bearer YOUR_API_KEY Important: API keys should be treated like passwords and never embedded directly in client-side code or public repositories.

Multiple API Keys & Chargeback

Suiri supports multiple API keys per account, enabling:
  • Separation of environments (development, staging, production)
  • Per-application and per-user usage tracking
  • Internal chargeback and cost attribution
  • Faster isolation of operational and performance issues

Best Practice: Use Separate API Keys per Application and User

Suiri strongly recommends creating separate API keys for each application and, where appropriate, each user or service. Using multiple API keys enables:
  • Clear chargeback and cost attribution by application, team, or customer
  • Faster troubleshooting by isolating errors and latency issues to a specific key
  • Safer key rotation without impacting unrelated services
  • Improved security posture by limiting blast radius if a key is compromised
Common production patterns:
  • One API key per environment (development, staging, production)
  • One API key per microservice or application
  • One API key per external customer or tenant in multi-tenant systems
Do not reuse a single API key across multiple applications or users, as this makes cost attribution, troubleshooting, and key rotation significantly harder. Each API key has independent usage metrics and billing visibility in the Suiri dashboard.

Key Rotation & Revocation

For security and operational hygiene, Suiri supports key rotation:
  • API keys can be revoked at any time from the dashboard
  • Revoked keys immediately lose access to the API
  • New keys can be generated without impacting other active keys
Regular key rotation is recommended for production workloads.

Billing as a Security Control

Inference requests on Suiri require an active billing method, including in demo environments. This helps:
  • Prevent abuse and unauthorized large-scale usage
  • Ensure predictable capacity planning and fair resource allocation
Requests without an active billing method will be rejected.

Secure Transport

  • All API traffic is encrypted in transit using TLS
  • Requests over insecure connections are rejected

What Suiri Does Not Do

  • No long-lived sessions
  • No server-side prompt or response storage
  • No implicit trust based on IP address or client identity
Every request is independently authenticated and authorized.