RelayKey docs

The reference for the RelayKey v1 surface - integrations, disposable RelayKeys, the proxy URL, and the Management API.

Looking for the exact proxy behavior?

/docs/proxy covers auth forwarding, the headers RelayKey strips and injects, path handling, body handling, rate-limit headers, audit-log shape, and every status-code/block reason. Source-of-truth for AI agents and engineers integrating RelayKey.

Agents

Building with Claude Code, Codex, or Cursor? See https://relaykey.ai/agents for the agent-targeted migration recipe, and /docs/proxy for the wire-level reference.

Quickstart

RelayKey supports common API-key and bearer-token REST APIs. If your upstream API takes a header like Authorization: Bearer ... or x-api-key: ..., you can put it behind RelayKey today.

Sign in and create an integration. Give it a name, the upstream base URL, and your real upstream API key.
Issue a disposable RelayKey. Pick who it belongs to, then set allowed methods, paths, IP policy, and expiration.
Hand the rk_proxy_... token (or the share link) to the application, agent, vendor, or person.
Watch each request appear in the audit log.

Authentication

There are three places authentication shows up in RelayKey, each scoped to its own purpose.

Web dashboard

Magic-link sign-in by email. The dashboard sets an HTTP-only session cookie. No passwords.

Management API

Send a Bearer rk_mgmt_... token in the Authorization header on every request. Manage tokens at /app/settings.

Proxy / vendor calls

Applications, agents, vendors, and people send the RelayKey. Either header style is accepted, whichever the upstream SDK already uses:

bearer style

Authorization: Bearer rk_proxy_...

x-api-key style

x-api-key: rk_proxy_...

Integrations

An integration holds the upstream base URL and your real upstream API key (encrypted at rest, decrypted only in memory at request time). The Management API still names this resource connection for backwards compatibility.

POST /api/v1/connections

$ curl -X POST https://app.relaykey.ai/api/v1/connections \
    -H "Authorization: Bearer rk_mgmt_..." \
    -H "Content-Type: application/json" \
    -d '{
      "name":              "HubSpot - production",
      "base_url":          "https://api.hubapi.com",
      "auth_type":         "bearer",
      "upstream_key":      "pat-na1-...",
      "log_query_strings": false
    }'

For an x-api-key style API set auth_type: "header" and auth_header_name: "x-api-key".

Disposable RelayKeys

A RelayKey is the disposable token you hand to an application, AI agent, script, vendor, or person. It is bound to an integration and has its own scope, IP policy, and expiration. The underlying API endpoint is still named delegated-credentials for backwards compatibility.

POST /api/v1/delegated-credentials

$ curl -X POST https://app.relaykey.ai/api/v1/delegated-credentials \
    -H "Authorization: Bearer rk_mgmt_..." \
    -H "Content-Type: application/json" \
    -d '{
      "connection_id":   "conn_a1b2c3",
      "name":            "support-agent - read contacts only",
      "allowed_methods": ["GET"],
      "allowed_paths":   ["/crm/v3/objects/contacts/*"],
      "allowed_ips":     ["198.51.100.7/32"],
      "ttl_seconds":     86400
    }'

The response contains the raw rk_proxy_... token once. RelayKey stores only its SHA-256 hash. If you lose it, revoke and re-issue.

Proxy URL format

proxy URL pattern

https://proxy.relaykey.ai/<connection_id>/<upstream_path>

# Example
https://proxy.relaykey.ai/conn_a1b2c3/crm/v3/objects/contacts?limit=10

RelayKey strips the <connection_id> prefix, joins the rest onto the integration's base_url, swaps in the upstream real upstream key, and forwards the request. The RelayKey's method and path are checked first; on mismatch the proxy returns 403 without making the upstream call.

Management API reference

The full schema lives in the OpenAPI spec on GitHub. The most common endpoints are listed here for quick reference.

Method	Path	Description
GET	/api/v1/me	Returns the current org and management token.
GET	/api/v1/connections	List all connections in the current org.
POST	/api/v1/connections	Create a new connection (encrypts the upstream key).
GET	/api/v1/connections/{id}	Fetch a single connection by id.
GET	/api/v1/delegated-credentials	List disposable RelayKeys. Endpoint name is kept for API compatibility.
POST	/api/v1/delegated-credentials	Issue a new scoped RelayKey. Returns the rk_proxy_... token once.
POST	/api/v1/delegated-credentials/{id}/revoke	Revoke a RelayKey. Subsequent calls return 401 from the proxy.
GET	/api/v1/audit	Query the audit log. Filters: connection_id, credential_id, since, until.

See the full schema: docs/openapi.yaml.

IP allowlists

Each RelayKey can carry a list of CIDRs. Ifallowed_ips is set and the request source IP is outside the list, the proxy returns 403 without making the upstream call. Available on all tiers.

Human-held RelayKeys also support email confirmation on every new IP. Until confirmed, RelayKey returns 423 awaiting_activation and the upstream API is never reached.

allowed_ips

"allowed_ips": ["198.51.100.7/32", "203.0.113.0/24"]

Support matrix

Feature	Status	Notes
Bearer token (Authorization header)	Supported
x-api-key style custom header	Supported
Basic auth (RFC 7617)	Supported	HiBob, Greenhouse v1, others.
Query-string auth (?ak=..., ?key=...)	Supported	PurelyHR-style. Param redacted from audit logs.
OAuth 2.0 client_credentials (token refresh)	Supported	Talkdesk, Ramp, Greenhouse Harvest v3, Absorb.
OAuth refresh tokens (cataloged vendors)	Supported	DocuSign refresh-token grant.
AWS Signature v4	Not yet
Multipart uploads	Not yet
Streaming responses (SSE, chunked)	Not yet
GraphQL operation-level permissions	Not yet
Response body filtering	Never	Inspecting response bodies is out of scope.
Request body inspection	Never	Bodies pass through; we never log them.
Path allowlists (glob)	Supported
Method allowlists	Supported
RelayKey expiration	Supported
One-click revocation	Supported
Audit logs (paths)	Supported
Audit logs (query strings, opt-in)	Supported
IP allowlists on key holders	Supported
2FA for API keys (step-up email confirm on new IPs)	Supported	Default on for human-held RelayKeys. New IPs return 423 before the upstream is reached until confirmed.

FAQ

Does RelayKey ever see my upstream API key in plaintext?

Only in memory on the proxy server, just long enough to attach it to the outbound request. It is not logged and not echoed back in the dashboard after creation.

What happens when I revoke a RelayKey?

The next request using that token returns 401 from RelayKey before any upstream call is made. Already-completed responses are not affected.

Can I bring my own domain?

On custom plans. The proxy can be served from api.yourcompany.com via CNAME.

Where can I get help?

Email [email protected]. Founder-assisted setup is available on every tier.