Skip to main content

The header

Every authenticated request carries your key in the X-API-Key header. 
curl https://intel-v1.exorde.io/v1/topics/global/trending \
  -H "X-API-Key: exd_trial_..."
No cookies, no OAuth. Keys are secret — treat them like passwords.

Key tiers and prefixes

Each key carries a prefix that hints at its tier. The prefix is cosmetic; the real tier is stored server-side and returned by GET /v1/me.
PrefixTierTypical source
exd_trial_WatchPOST /v1/keys/trial
exd_watch_WatchPaid Watch subscription
exd_see_SeePaid See subscription
exd_know_KnowPaid Know subscription
exd_test_TestInternal QA (not issued to customers)

Minting a trial key

Public endpoint, IP-rate-limited, idempotent per email within the key’s active window. 
curl -X POST https://intel-v1.exorde.io/v1/keys/trial \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]"}'
A successful response (201) returns the full key record: 
{
  "api_key": "exd_trial_...",
  "client_id": "trial_...",
  "tier": "watch",
  "topics": ["global"],
  "webhook_limit": 0,
  "rate_limit_rpm": 30,
  "active": true,
  "created_at": "2026-04-20T15:00:00Z",
  "expires_at": "2026-04-27T15:00:00Z",
  "reused": false
}
If you call this endpoint again with the same email while a valid key exists, you get the same key back with reused: true and HTTP 200. No duplicate keys, no silent issuance.

Inspecting the current key

curl https://intel-v1.exorde.io/v1/keys/current \
  -H "X-API-Key: $EXORDE_API_KEY"
Returns the same shape as the trial response, without reused. Use this to check your tier, expiry, and topic scope from a client at runtime.

Rotating a key

Rotation issues a new key with the same tier, topics, limits, and expiry. The old key is deactivated atomically — switch your clients to the new key immediately. 
curl -X POST https://intel-v1.exorde.io/v1/keys/rotate \
  -H "X-API-Key: $EXORDE_API_KEY"
Response: 
{
  "old_api_key": "exd_trial_OLD...",
  "new_api_key": "exd_trial_NEW...",
  "client_id": "trial_...",
  "tier": "watch",
  "topics": ["global"],
  "webhook_limit": 0,
  "rate_limit_rpm": 30,
  "expires_at": "2026-04-27T15:00:00Z"
}
Expiry is not extended. Rotation is for credential hygiene, not lifetime extension.

Revoking a key

Permanent. Idempotent. 
curl -X DELETE https://intel-v1.exorde.io/v1/keys/current \
  -H "X-API-Key: $EXORDE_API_KEY"
Response: 
{
  "api_key": "exd_trial_...",
  "revoked": true,
  "already_inactive": false
}
Once revoked, the key cannot be reactivated. Every subsequent call returns 401 invalid_api_key.

Who am I

GET /v1/me returns the caller’s identity and full entitlements — tier, topic scope, rate limit, quotas, and usage. Ideal for building tier-aware UIs. 
curl https://intel-v1.exorde.io/v1/me \
  -H "X-API-Key: $EXORDE_API_KEY"

Authentication errors

All auth errors use the standard typed envelope. See Errors for the full list. The four you’ll actually see:
StatusCodeWhen
401missing_api_keyHeader not sent
401invalid_api_keyUnknown, rotated, or revoked key
403key_expiredKey past expires_at
403topic_deniedKey valid but not scoped to the requested topic

Operational guidance

  • Store keys server-side only. Never in a public SPA bundle, git, or a client-side env var shipped to users.
  • Rotate on suspicion of leak. Rotation is free and atomic.
  • Use /v1/me at startup to detect tier changes (upgrades, downgrades, expiries) without polling the billing system.
  • Handle 401 as “get a new key” and 403 as “ask the user to upgrade or change topic” — the codes are distinct for a reason.