Skip to content

Authentication

The Redline API uses bearer authentication. An Admin creates an API key under Settings > Developer settings > API keys and chooses the permissions it needs.

Send the key

Include the secret in the Authorization header on every request:

GET /v1/matters?limit=20 HTTP/1.1
Host: api.redline.example
Authorization: Bearer rlk_live_••••••••••••
Accept: application/json

The full secret is shown once. Store it in your deployment’s secret manager and inject it at runtime. Do not place a key in browser code, source files, support tickets, or request logs.

Workspace scoping

Each key belongs to exactly one Workspace. A request can access only resources in that Workspace, even if your organization operates several Workspaces. Create and rotate a separate key for each integration and environment.

Permissions are resource and action based. For example, an intake integration might need matters:write and documents:write, while an archive job needs matters:read and documents:read.

Authentication errors

  • 401 unauthorized means the key is missing, malformed, expired, or revoked.
  • 403 forbidden means the key is valid but lacks the required permission.
  • 404 not_found can mean the resource exists in a different Workspace.

Next, configure webhooks for changes you need to receive without polling.