citlyze docs
API

Security And Data Model

Understand read-only scope, workspace boundaries, and exported data limits.

The public API is intentionally read-only and workspace-scoped.

Read-only access

API keys can read export resources. They cannot create prompts, run tracking, change recommendations, edit drafts, manage billing, or mutate workspace settings.

Workspace boundary

Every request is authenticated to one workspace. The API only returns rows for that workspace.

Plan history

Exports respect the workspace plan history window. meta.history_start tells you the earliest effective export time for the request.

Excluded data

The public API does not expose:

  • billing internals
  • plan quota internals
  • raw provider request payloads
  • raw provider response payloads
  • hidden provider usage payloads
  • mutable internal admin endpoints

Safe key handling

Use a separate API key per integration. Revoke keys that are unused, exposed, or owned by a former teammate.

On this page