API keys are the simplest way to authenticate requests to the RegexNest API. Each key is tied to a workspace and carries a set of scopes that define what resources it can access.
Keys are 64-character hex strings prefixed with rnk_live_ for production and rnk_test_ for sandbox environments. Generate them from Settings → API & Integrations in your workspace dashboard. Every key supports the following scopes: regex:read, regex:write, library:read, and library:admin. You can select scopes at creation time; they cannot be broadened later, but you can rotate the key at any point.
Include your key in the Authorization header of every request:
Authorization: Bearer rnk_live_a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890
Production keys are rate-limited to 1,200 requests per minute per key. Test keys are capped at 200 requests per minute and never reach live data. Keys expire after 365 days unless renewed from the dashboard. Rotating a key invalidates the previous value immediately — plan your rollout accordingly.
regex:read — query patterns, run matches, list saved expressions.regex:write — create, update, and delete patterns in your workspace.library:read — browse and download community regex libraries.library:admin — publish, version, and moderate library contributions.
Production: 1,200 req/min per key. Burst allowance of 50 requests over a 2-second window. Test: 200 req/min. All limits reset at the start of each minute. Exceeding the limit returns 429 Too Many Requests with a Retry-After header.
Rotate keys monthly in production environments. The dashboard supports generating a replacement key while the old one remains active for a 48-hour grace window. After rotation, the old key is listed as revoked and cannot be restored.
OAuth 2.0 is the recommended authentication method when building third-party integrations, CLI tools, or services that act on behalf of end users. RegexNest supports the Authorization Code Grant with PKCE for public clients.
Register your application under Settings → OAuth Applications. You'll receive a client_id and a client_secret. Configure one or more redirect URIs — these must use HTTPS and cannot contain wildcards. The authorization endpoint is https://auth.regexnest.com/authorize; the token endpoint is https://auth.regexnest.com/token.
The flow works in four steps:
1. Redirect the user to the authorization endpoint with your client_id, a code_challenge (PKCE), the requested scopes, and a state parameter for CSRF protection.
2. The user logs in and consents to the requested permissions. RegexNest redirects back to your registered URI with an authorization code.
3. Exchange the code for an access token and refresh token by posting to the token endpoint with your client_secret and the code_verifier.
4. Use the access token in the Authorization: Bearer header for subsequent API calls. Refresh tokens remain valid for 90 days.
Access tokens expire after 1 hour. Refresh tokens are single-use: each refresh call returns a new access token and a new refresh token, invalidating the previous one.
openid — obtain an ID token with basic user profile.profile — access name, email, and avatar.regex:read — read workspace patterns and match results.regex:write — modify patterns and create new expressions.workspaces:read — list workspaces the user belongs to.workspaces:admin — manage workspace membership and billing.
All OAuth clients must use S256 code challenge method. Generate a 43–128 character cryptographically random string as the code verifier, then SHA-256 hash it and Base64URL-encode the result for the code challenge. RegexNest rejects authorization requests that omit the code_challenge parameter.
A successful token response includes access_token (JWT, 1h TTL), refresh_token (opaque, 90d TTL), token_type (Bearer), expires_in (3600), and scope (space-separated list of granted scopes). ID tokens are returned only when openid is requested.
Protecting your credentials and enforcing least-privilege access keeps your RegexNest workspace safe. Follow these guidelines to minimize exposure and maintain a strong security posture.
Never embed API keys or client secrets in client-side JavaScript, public repositories, or build artifacts. Store secrets in environment variables or a secrets manager such as HashiCorp Vault, AWS Secrets Manager, or Doppler. RegexNest never logs request bodies containing credentials, but keys transmitted in query strings may appear in server access logs.
Apply the principle of least privilege: grant each key or OAuth application only the scopes it genuinely needs. A CI pipeline that runs regex validation tests requires regex:read — it does not need library:admin. Audit your active keys quarterly from the dashboard and revoke anything that is unused or overly permissive.
Enforce HTTPS for all API communication. RegexNest rejects unencrypted HTTP requests with a 403 Forbidden response. For OAuth integrations, validate the state parameter on callback to prevent CSRF attacks, and verify the iss and aud claims in ID tokens before trusting their contents.
Rotate production keys every 90 days. Label each key with its purpose (e.g., ci-pipeline-staging, analytics-dashboard) so you can identify and revoke compromised keys quickly. The dashboard shows last-used timestamps for every active key.
Restrict API key usage to specific IP ranges from the workspace settings. Allowlisted keys will only succeed when requests originate from the configured CIDR blocks. This is especially useful for keys used by internal CI servers or deployment pipelines with static IPs.
If a key is compromised, revoke it immediately from the dashboard — this is instantaneous and cannot be undone. Then generate a replacement key with the same scopes and update your integrations. Report the incident to security@regexnest.com within 24 hours so the team can review access logs and confirm no unauthorized data was accessed.