Skip to content
HomeStar Docs

API Key Reference

Complete reference for API key format, permissions, rate limits, and technical specifications.

Key Format

Section titled “Key Format”

All API keys use a consistent format for easy identification:

idx_{role_prefix}{random_string}

Format Components

Section titled “Format Components”
ComponentDescriptionExample
PrefixAlways idx_idx_
Role IndicatorOptional single charactera (admin), b (broker), g (agent)
Random StringCryptographically secure random charactersa1b2c3d4e5f6g7h8i9j0

Example Keys

Section titled “Example Keys”
idx_live_SAgFqBpAMP_znpf3GffgCI     (Admin key)
idx_broker_Kp9mNq2rSt3vWx4yZ5      (Broker key)
idx_agent_Ab7cDe8fGh9iJk0lMn1      (Agent key)

Role-Based Permissions

Section titled “Role-Based Permissions”

Admin Role

Section titled “Admin Role”
Full Access
Permission CategoryCapabilities
PropertiesRead, create, update, delete all properties
UsersCreate, update, deactivate all users (admins, brokers, agents)
BrokeragesCreate, update, delete all brokerages
API KeysCreate, view, revoke all API keys
System ConfigModify platform settings, feature flags
Data ManagementExport, import, clear database tables
AnalyticsAccess all usage metrics and reports

Broker Role

Section titled “Broker Role”
Brokerage Access
Permission CategoryCapabilities
PropertiesRead all properties, update listings for assigned brokerage
AgentsCreate, update, deactivate agents within assigned brokerage
LeadsView and manage leads for assigned brokerage
Brokerage SettingsUpdate settings for assigned brokerage only
ReportsAccess brokerage-specific analytics
API KeysCreate and revoke keys for own brokerage (agent-level only)

Agent Role

Section titled “Agent Role”
Personal Access
Permission CategoryCapabilities
PropertiesRead-only access to all properties
Own ProfileUpdate own agent profile and preferences
LeadsView leads assigned to self only
ToursCreate and manage tour requests
SuggestionsSubmit property update suggestions
FavoritesManage own saved properties

Rate Limits

Section titled “Rate Limits”

Default limits per API key (adjustable by administrators):

Standard Rate Limits

Section titled “Standard Rate Limits”
Time WindowLimitApplies To
Per Minute100 requestsAll roles
Per Hour1,000 requestsAll roles
Per Day10,000 requestsAll roles

Rate Limit by Endpoint Type

Section titled “Rate Limit by Endpoint Type”
Endpoint CategoryPer MinutePer Hour
Read Operations (GET)1001,000
Write Operations (POST, PUT, PATCH)50500
Delete Operations (DELETE)10100
Search/Analytics30300

Rate Limit Headers

Section titled “Rate Limit Headers”

Every API response includes rate limit information:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640995200
HeaderTypeDescription
X-RateLimit-LimitIntegerMaximum requests allowed in current window
X-RateLimit-RemainingIntegerRequests remaining in current window
X-RateLimit-ResetUnix TimestampWhen the rate limit window resets

Rate Limit Exceeded Response

Section titled “Rate Limit Exceeded Response”
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 60
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1640995260


{
  "error": "rate_limit_exceeded",
  "message": "Rate limit exceeded. Retry after 60 seconds.",
  "retry_after": 60
}

Authentication Flow

Section titled “Authentication Flow”

Request Authentication

Section titled “Request Authentication”
sequenceDiagram
    Client->>API: Request with X-API-Key header
    API->>Database: Validate key
    Database-->>API: Key valid + role
    API->>API: Check permissions
    API-->>Client: Response or 401/403

Authentication States

Section titled “Authentication States”
Response CodeMeaningAction Required
200-299Authenticated and authorizedContinue using key
401 UnauthorizedInvalid or revoked keyGenerate new key
403 ForbiddenValid key, insufficient permissionsRequest higher-privilege key
429 Too Many RequestsRate limit exceededImplement backoff, reduce request rate

Key Metadata

Section titled “Key Metadata”

Each API key stores the following metadata:

FieldTypeDescription
idUUIDUnique key identifier
keyStringHashed API key value (original never stored)
nameStringUser-provided descriptive name
roleEnumadmin, broker, or agent
brokerage_idUUIDAssociated brokerage (null for admin keys)
created_atDateTimeTimestamp of creation
created_byUUIDUser who created the key
last_used_atDateTimeMost recent successful authentication
revoked_atDateTimeTimestamp when revoked (null if active)
revoked_byUUIDUser who revoked the key

Usage Tracking

Section titled “Usage Tracking”

Tracked Metrics

Section titled “Tracked Metrics”
MetricDescriptionRetention Period
Request CountTotal successful requests90 days
Error CountFailed requests (4xx, 5xx)90 days
Response TimeAverage latency per endpoint30 days
Data TransferBytes sent/received30 days
Endpoint UsageRequests per endpoint path90 days

Log Format

Section titled “Log Format”
{
  "timestamp": "2024-12-28T10:30:00Z",
  "api_key_id": "550e8400-e29b-41d4-a716-446655440000",
  "endpoint": "/api/v1/properties",
  "method": "GET",
  "status_code": 200,
  "response_time_ms": 45,
  "bytes_sent": 15234,
  "bytes_received": 256,
  "ip_address": "203.0.113.42",
  "user_agent": "Custom Integration v1.2.3"
}

Security Specifications

Section titled “Security Specifications”

Key Generation

Section titled “Key Generation”
  • Algorithm: Cryptographically secure pseudo-random number generator (CSPRNG)
  • Entropy: 256 bits minimum
  • Character Set: Base62 (A-Z, a-z, 0-9)
  • Length: 32-48 characters (excluding prefix)

Key Storage

Section titled “Key Storage”
  • Hashing Algorithm: bcrypt with work factor 12
  • Original Key: Never stored, only hash
  • Salt: Unique per key, generated by bcrypt

Validation

Section titled “Validation”

Keys are validated in constant time to prevent timing attacks.

Section titled “Related Documentation”