Getting started

Authentication

Every request is authenticated with a project-scoped API key sent as a bearer token. Keys are created in the dashboard and can be scoped, capped, and rotated at any time.

API keys

A GROUNDROCK key looks like mn_live_... or mn_test_.... Live keys hit real providers; test keys hit our deterministic mock.

bash
Authorization: Bearer mn_live_a83f2c...
Never expose a live key in browser code, mobile bundles, or public repositories. Use an ephemeral scoped token instead — see below.

Scopes

Each key belongs to a project and can be scoped to specific models, providers, spend caps, and rate limits.

json
{
  "name": "web-frontend",
  "scopes": ["chat:read", "chat:write"],
  "models": ["openai/gpt-5", "anthropic/claude-opus-4"],
  "spend_cap_usd": 250,
  "rate_limit_rpm": 600
}

Rotation

Keys can be rotated with zero downtime. Old and new keys are accepted for a 24-hour overlap window.

bash
curl -X POST https://api.groundrock.dev/v1/keys/mn_live_a83f2c.../rotate \
  -H "Authorization: Bearer $GROUNDROCK_ADMIN_KEY"

Bring your own provider keys

Enterprise plans can attach their own OpenAI, Anthropic, or Google Cloud credentials. GROUNDROCK acts as a control plane; tokens are billed to your provider account directly.