Authentication
All API requests require authentication using your API key plus three identifying headers.API Key
Your API key is provided by DocBit AI and looks like:Authorization header:
Required Headers
Every request must include these three headers:X-External-Org-Id
Identifies which of your client organizations this request is for.acme, beta-corp, client-123
X-External-User-Id
Identifies the specific user making the request.- Enables per-user usage tracking
- Each user gets their own conversation history
- Allows per-user billing
user-456, [email protected], u_abc123
X-External-Roles
A JSON array of roles assigned to this user.["employee"]["hr", "manager", "all-staff"]hr,manager(alternative format)
Complete Example
Error Responses
| Status | Error | Solution |
|---|---|---|
| 400 | Missing required header: X-External-Org-Id | Include the header |
| 400 | Missing required header: X-External-User-Id | Include the header |
| 400 | Missing required header: X-External-Roles | Include the header |
| 400 | At least one role is required | Provide at least one role |
| 401 | Invalid API key | Check your API key |
| 401 | API key is inactive | Contact support |
| 401 | API key has expired | Contact support |
Best Practices
Store API key securely
Store API key securely
Use environment variables or a secrets manager. Never hardcode the key.
Use consistent identifiers
Use consistent identifiers
Use the same org ID and user ID consistently. These create user accounts that persist conversations.
Pass accurate roles
Pass accurate roles
Only pass roles the user actually has. Don’t give everyone admin access.
Handle errors gracefully
Handle errors gracefully
Implement retry logic for transient failures. Don’t expose raw error messages to end users.
Key Rotation
If your API key is compromised:- Contact DocBit AI support immediately
- We will generate a new key
- Update your application with the new key
- The old key will be deactivated