Authentication
Snipara supports multiple authentication methods: API keys for programmatic access, OAuth for interactive flows, and device flow for CLI tools.
Overview
| Method | Use Case | Format |
|---|---|---|
| Project API Key | Single project access | rlm_pk_... |
| Team API Key | Multi-project access | rlm_team_... |
| OAuth Token | Device flow / CLI | snipara_at_... |
Header Formats
# API Key (recommended for scripts)X-API-Key: rlm_pk_your_key_here# OAuth Token (for device flow)Authorization: Bearer snipara_at_your_token_hereAPI Keys
Project API Keys
Access a single project via MCP or REST API.
| Access Level | Description | Available Tools |
|---|---|---|
| VIEWER | Read-only access | rlm_context_query, rlm_ask, rlm_search, rlm_recall |
| EDITOR | Read + Write (default) | All VIEWER + rlm_remember, rlm_inject, rlm_upload_document |
| ADMIN | Full access | All tools including rlm_swarm_create, rlm_claim, rlm_task_create |
Creating API Keys
- Go to Project > API Keys in dashboard
- Click "Create API Key"
- Enter name and select access level (VIEWER/EDITOR/ADMIN)
- Copy key immediately (shown once only!)
Using API Keys
curl -X POST https://api.snipara.com/mcp/my-project \ -H "Content-Type: application/json" \ -H "X-API-Key: rlm_pk_abc123..." \ -d '{ "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "rlm_ask", "arguments": {"query": "How does auth work?"} } }'Team API Keys
Access all projects in a team with a single key. Format: rlm_team_...
# Multi-project query with team keycurl -X POST https://api.snipara.com/mcp/team/my-team \ -H "X-API-Key: rlm_team_abc123..." \ -d '{"jsonrpc":"2.0","method":"tools/call","params":{ "name":"rlm_multi_project_query","arguments":{"query":"authentication"}}}'Device Flow
Device flow enables CLI and headless authentication without browser interaction during operation. Perfect for snipara-mcp and VS Code extension.
┌─────────────┐ ┌─────────────┐
│ CLI │ │ Snipara │
└──────┬──────┘ └──────┬──────┘
│ │
│ 1. Request device code │
│ POST /api/oauth/device/code │
│────────────────────────────────────────────>
│ │
│ {device_code, user_code, uri} │
│<────────────────────────────────────────────
│ │
│ 2. Display: "Go to snipara.com/device" │
│ Display: "Enter: ABCD-1234" │
│ │
│ 3. User opens browser, enters code │
│ │
│ 4. Poll: POST /api/oauth/device/token │
│────────────────────────────────────────────>
│ │
│ {access_token, api_key, project_slug} │
│<────────────────────────────────────────────Step 1: Request Device Code
curl -X POST https://www.snipara.com/api/oauth/device/code \ -H "Content-Type: application/json" \ -d '{"client_id": "snipara_cli", "auto_provision": true}'Response:
{ "device_code": "abc123def456ghi789...", "user_code": "ABCD-1234", "verification_uri": "https://snipara.com/device", "verification_uri_complete": "https://snipara.com/device?code=ABCD-1234", "expires_in": 900, "interval": 5}Step 2: Poll for Token
curl -X POST https://www.snipara.com/api/oauth/device/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "urn:ietf:params:oauth:grant-type:device_code", "device_code": "abc123def456ghi789...", "client_id": "snipara_cli" }'Success response (with auto_provision: true):
{ "access_token": "snipara_at_abc123...", "token_type": "Bearer", "expires_in": 86400, "refresh_token": "snipara_rt_def456...", "project_slug": "my-project", "api_key": "rlm_pk_abc123...", "mcp_endpoint": "https://api.snipara.com/mcp/my-project"}Auto-Provision
With auto_provision: true, new users automatically get a free account, personal workspace, default project, and API key — zero friction onboarding.
Rate Limiting
| Plan | Requests/Minute | Monthly Queries |
|---|---|---|
| FREE | 10 | 100 |
| PRO | 60 | 5,000 |
| TEAM | 100 | 20,000 |
| ENTERPRISE | 1,000 | Unlimited |
Rate Limit Headers
X-RateLimit-Limit: 60X-RateLimit-Remaining: 45X-RateLimit-Reset: 1705320000Security Best Practices
Never Commit Keys
Use environment variables. Add .env to .gitignore.
Rotate Regularly
Generate new keys periodically. Revoke old keys.
Use Minimal Scope
Prefer project keys over team keys. Use VIEWER when write access isn't needed.
Set Expiration
Create time-limited keys for temporary access.
Environment Variables
# .env (never commit!)SNIPARA_API_KEY=rlm_pk_your_key_here# .gitignore.env.env.local.env.*.localRequesting Project Access
If you can authenticate but still have no effective access to a project, use rlm_request_access to ask project admins for a higher access level.
rlm_request_access
rlm_request_access({ requested_level: "EDITOR", reason: "Need to upload onboarding docs and store rollout decisions"})This creates an access request for project admins to review in the dashboard. Use it when your identity is valid but your current role is NONE or too limited for the task you need to perform.
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
| "Missing authentication" | No credentials provided | Add X-API-Key header |
| "Invalid API key" | Key revoked or expired | Generate new key in dashboard |
| "Invalid OAuth token" | Token expired (24h validity) | Refresh with refresh_token |
| "Rate limit exceeded" | Too many requests | Wait and retry with backoff |
| "405 Method Not Allowed" | Using snipara.com instead of www.snipara.com | Use www.snipara.com for POST |