Skip to main content
Every request to the MeshQu API (except health and readiness checks) requires two headers:
HeaderDescription
AuthorizationBearer <API_KEY>
X-MeshQu-Tenant-IdYour tenant UUID

API keys

API keys are created via the /v1/api-keys endpoint (requires the api-keys:admin scope) or through the MeshQu Console. When you create a key, the plaintext value is returned exactly once. Store it securely — it cannot be retrieved again. The API stores only a hashed representation. Each key has:
  • Name — a human-readable label for audit trails.
  • Scopes — the set of permissions the key grants (see below).
  • Expiry (optional) — an expires_at timestamp after which the key is rejected.
  • Prefix/suffix — a safe fragment (e.g. mqk_abc...xyz) shown in dashboards for identification.

Revoking a key

DELETE /v1/api-keys/:id
Revoked keys are rejected immediately. Revocation is permanent.

Scopes

Each API key carries one or more scopes that control what it can access:
ScopeGrants access to
policies:readList and read policies, versions, groups
policies:writeCreate, update, deactivate policies and groups
decisions:evaluateEvaluate decisions (dry-run)
decisions:readList and read recorded decisions
decisions:writeRecord decisions (evaluate + persist)
alerts:readList and read alerts
alerts:writeAcknowledge alerts, manage webhook subscriptions
audit:readRead audit events
audit:adminVerify audit log integrity
api-keys:adminCreate, list, and revoke API keys
Principle of least privilege: create separate keys for different services. A service that only evaluates decisions needs decisions:evaluate — not api-keys:admin.

Multi-tenancy

All data in MeshQu is isolated per tenant. The X-MeshQu-Tenant-Id header determines which tenant’s data is accessed. The API key must belong to the specified tenant; a mismatch returns 403 Forbidden.

Rate limits

MeshQu applies two tiers of rate limiting:
TierScopeDefault limit
Pre-authenticationPer IP address10,000 requests/minute
Post-authenticationPer tenant + API key1,000 requests/minute
When a limit is exceeded the API returns 429 Too Many Requests with a Retry-After header. Standard rate-limit headers are included on every response: 
rate-limit-limit: 1000
rate-limit-remaining: 997
rate-limit-reset: 1700000060

Example: creating an API key

curl -X POST https://api.meshqu.com/v1/api-keys \
  -H "Authorization: Bearer ADMIN_KEY" \
  -H "X-MeshQu-Tenant-Id: YOUR_TENANT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "trade-service-prod",
    "scopes": ["decisions:evaluate", "decisions:write"]
  }'
Response (key shown once): 
{
  "key": {
    "id": "key_uuid",
    "tenant_id": "tenant_uuid",
    "name": "trade-service-prod",
    "key_preview": "mqu_live_...x7Kf",
    "scopes": ["decisions:evaluate", "decisions:write"],
    "expires_at": null,
    "last_used_at": null,
    "is_active": true,
    "created_at": "2025-01-15T10:00:00Z",
    "created_by": null,
    "revoked_at": null,
    "revoked_by": null
  },
  "plaintext_key": "mqu_live_abc123...full_plaintext_key"
}
Store the key value immediately — it will not be returned again.