Authentication

All RAIL API requests are authenticated with API keys. Keys are tied to your account, carry your credit balance, and appear in your usage logs.

API Key Lifecycle

Dashboard

Generate key

.env File

Store securely

Your Backend

Read at runtime

RAIL API Call

Authorization header

Response

Scoring result

Getting an API Key

Generate keys from the API Keys section of your dashboard. Keys start with rail_ and are shown once — copy them immediately.

Open Dashboard →Quick Start guide

Using the API Key

Pass your key as a Bearer token in the Authorization header on every request:

Authorization: Bearer YOUR_RAIL_API_KEY

Full curl example:

curl -X POST https://api.responsibleailabs.ai/railscore/v1/eval \
  -H "Authorization: Bearer YOUR_RAIL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"content": "Your AI-generated text here", "mode": "basic"}'

SDK Authentication

Both SDKs accept the API key at client construction and handle the header automatically:

from rail_score_sdk import RailScoreClient
import os

# Pass key directly (fine for scripts, not production web apps)
client = RailScoreClient(api_key="YOUR_RAIL_API_KEY")

# Recommended: read from environment variable
client = RailScoreClient(api_key=os.environ["RAIL_API_KEY"])

# The client attaches Authorization: Bearer <key> on every request

Environment Variables

Never hardcode API keys in source files. Use environment variables and keep keys out of version control.

Local development — dotenv

# .env  (add to .gitignore — never commit this file)
RAIL_API_KEY=YOUR_RAIL_API_KEY

# Python
from dotenv import load_dotenv, find_dotenv
import os
load_dotenv(find_dotenv())
api_key = os.environ["RAIL_API_KEY"]

# Node.js
import 'dotenv/config';   // or require('dotenv').config()
const apiKey = process.env.RAIL_API_KEY;

Vercel / Edge deployments

# Add via Vercel dashboard → Settings → Environment Variables
# Variable name: RAIL_API_KEY
# Environment:   Production (and optionally Preview)

# In your code (server-side only — never NEXT_PUBLIC_)
const apiKey = process.env.RAIL_API_KEY;

Important: Never prefix the key with NEXT_PUBLIC_ — that would expose it in the browser bundle.

Docker / containerized deployments

# Pass at runtime — never bake secrets into image layers
docker run -e RAIL_API_KEY=YOUR_RAIL_API_KEY my-app

# docker-compose.yml
services:
  app:
    image: my-app
    environment:
      - RAIL_API_KEY=${RAIL_API_KEY}   # sourced from host env

# Or mount a secrets file
docker secret create rail_api_key ./rail_key.txt

Key Management

You can create multiple keys for different environments (production, staging, CI). Manage keys from your dashboard:

Action	When to use
Generate key	New environment, onboarding a new service, or rotating credentials on schedule
Rename key	Add context — "production-chatbot", "staging-ci" — for usage tracking
Revoke key	Suspected leak, employee offboarding, or decommissioning a service. Immediate effect.

Rotation best practice: Generate a new key before revoking the old one. Deploy the new key to your service, verify it works, then revoke the old key — zero downtime.

Rate Limits

Rate limits are applied per API key. Exceeding the limit returns HTTP 429.

Plan	Requests / min	Requests / day
Free	10	100
Pro	60	5,000
Business	300	50,000
Enterprise	Custom — contact sales

Security Best Practices

•Never expose keys in client-side code. Browsers are public — always call the API from your backend or serverless function.
•Store in environment variables, never hardcoded in source files or Docker images.
•Add .env to .gitignore before the first commit so keys are never accidentally pushed.
•Use separate keys per environment. If staging is compromised, production stays safe.
•Revoke immediately if exposed. Generate a replacement first, then revoke — swapping takes seconds.
•Rotate on schedule. Periodically regenerating keys limits the blast radius of any undetected leak.

Auth Error Responses

Status	Error message	Fix
`401`	Missing or malformed Authorization header	Add `Authorization: Bearer …`
`401`	Invalid API key	Check the key is copied correctly (starts with `rail_`)
`403`	API key revoked or inactive	Generate a new key from the dashboard
`429`	Rate limit exceeded	Reduce request frequency or upgrade plan