Getting started
Authentication
Every request is authenticated with a project-scoped API key sent as a bearer token. Keys are created in the dashboard and can be scoped, capped, and rotated at any time.
API keys
A GROUNDROCK key looks like mn_live_... or mn_test_.... Live keys hit real providers; test keys hit our deterministic mock.
bash
Authorization: Bearer mn_live_a83f2c...Never expose a live key in browser code, mobile bundles, or public repositories. Use an ephemeral scoped token instead — see below.
Scopes
Each key belongs to a project and can be scoped to specific models, providers, spend caps, and rate limits.
json
{
"name": "web-frontend",
"scopes": ["chat:read", "chat:write"],
"models": ["openai/gpt-5", "anthropic/claude-opus-4"],
"spend_cap_usd": 250,
"rate_limit_rpm": 600
}Rotation
Keys can be rotated with zero downtime. Old and new keys are accepted for a 24-hour overlap window.
bash
curl -X POST https://api.groundrock.dev/v1/keys/mn_live_a83f2c.../rotate \
-H "Authorization: Bearer $GROUNDROCK_ADMIN_KEY"Bring your own provider keys
Enterprise plans can attach their own OpenAI, Anthropic, or Google Cloud credentials. GROUNDROCK acts as a control plane; tokens are billed to your provider account directly.