Authentication
The Redline API uses bearer authentication. An Admin creates an API key under Settings > Developer settings > API keys and chooses the permissions it needs.
Send the key
Include the secret in the Authorization header on every request:
GET /v1/matters?limit=20 HTTP/1.1Host: api.redline.exampleAuthorization: Bearer rlk_live_••••••••••••Accept: application/jsonThe full secret is shown once. Store it in your deployment’s secret manager and inject it at runtime. Do not place a key in browser code, source files, support tickets, or request logs.
Workspace scoping
Each key belongs to exactly one Workspace. A request can access only resources in that Workspace, even if your organization operates several Workspaces. Create and rotate a separate key for each integration and environment.
Permissions are resource and action based. For example, an intake integration might need matters:write and documents:write, while an archive job needs matters:read and documents:read.
Authentication errors
401 unauthorizedmeans the key is missing, malformed, expired, or revoked.403 forbiddenmeans the key is valid but lacks the required permission.404 not_foundcan mean the resource exists in a different Workspace.
Next, configure webhooks for changes you need to receive without polling.