Enterprise API
Authentication
The enterprise API authenticates every request with an API key tied to your Obsidian account and plan.
API keys
Keys are prefixed with sk- and grant access to the data endpoints under your account's industry perimeter and plan limit. Treat a key like a password — anyone holding it can spend your verified requests.
Sending the key
Provide the key on every request, using either header form:
# Preferred: X-API-Key header curl https://api.obsidianri.com/frameworks \ -H "X-API-Key: sk-your-key-here" # Also supported: Authorization Bearer curl https://api.obsidianri.com/frameworks \ -H "Authorization: Bearer sk-your-key-here"
A missing or malformed key returns 401 Unauthorized with the detail "Missing API key. Provide via X-API-Key header or Authorization: Bearer <key>". Keep keys server‑side — never ship them in a browser or mobile app.
Managing keys
Keys are issued and managed from your Obsidian account. The API also exposes management endpoints for automation:
| Endpoint | Description |
|---|---|
POST/api/keys | Create a new API key. |
GET/api/keys | List your keys (prefixes and metadata, never the full secret). |
GET/api/keys/{prefix}/usage | Usage for a given key. |
POST/api/keys/{prefix}/renew | Rotate a key. |
POST/api/keys/{prefix}/revoke | Revoke a key immediately. |
Rate & usage limits
Usage is metered in verified requests per month and enforced per account, not per key — all of an account's keys draw from the same allowance.
| Plan | Verified requests / month |
|---|---|
| Free | 50 |
| Pro | 500 |
| Expert | 5,000 |
Once the monthly allowance is spent, data endpoints return 402 Payment Required until the next cycle or a plan upgrade.