Audience: Developers
Accounts API Contract
The Accounts API provides endpoints for managing API accounts and authentication keys. All account management endpoints require the master API key.
Authentication: All endpoints require the X-API-Key header with the master API key (from GL_DEEP_RESEARCH_MASTER_API_KEY environment variable).
Create Account (POST /v1/accounts/)
Create a new account and receive an API key. The API key is only returned once during creation - store it securely!
Authentication: Master API key required
Request:
curl -X POST https://stag-gl-deep-research.obrol.id/v1/accounts/ \
-H "X-API-Key: your-master-api-key" \
-H "Content-Type: application/json" \
-d '{
"name": "my-account"
}'
Request Body:
Field
Type
Required
Description
Account name (must be unique)
Response (201 Created):
Response Fields:
Indicates if the request was successful
API key for this account (only returned once)
Error Responses:
409 Conflict: Account already exists
400 Bad Request: Invalid request data
401 Unauthorized: Invalid or missing API key
⚠️ Important: The API key is only returned once during account creation. Store it securely!
List Accounts (GET /v1/accounts/)
List all accounts in the system.
Authentication: Master API key required
Request:
Response (200 OK):
Response Fields:
Indicates if the request was successful
Preview of the API key (first 3 + last 3 chars)
Account creation timestamp (ISO 8601)
Error Responses:
401 Unauthorized: Invalid or missing API key
500 Internal Server Error: Master API key not configured
Get Account (GET /v1/accounts/{account_id})
Get account information by ID.
Authentication: Master API key required
Request:
Path Parameters:
Parameter
Type
Required
Description
Response (200 OK):
Response Fields:
Indicates if the request was successful
Preview of the API key (first 3 + last 3 chars)
Account creation timestamp (ISO 8601)
Error Responses:
404 Not Found: Account not found
401 Unauthorized: Invalid or missing API key
Delete Account (DELETE /v1/accounts/{account_id})
Soft delete an account by ID. The account is marked as deleted but data is retained for audit purposes.
Authentication: Master API key required
Request:
Path Parameters:
Parameter
Type
Required
Description
Response (200 OK):
Response Fields:
Indicates if the request was successful
Error Responses:
404 Not Found: Account not found
401 Unauthorized: Invalid or missing API key
Note: This performs a soft delete - the account is marked as deleted but data is retained for audit purposes.
The system supports two types of API keys:
Master API Key: System-wide administrative key
Set via GL_DEEP_RESEARCH_MASTER_API_KEY environment variable
Required for: Account management, Profile management
Provides full system access
Account API Key: Per-account keys
Generated when creating accounts via POST /v1/accounts/
Required for: Research endpoints, Task endpoints
Scoped to the specific account
Include the API key in the X-API-Key header for all authenticated requests:
Security Features
✅ Bcrypt hashing: API keys are hashed using bcrypt before storage
✅ Salt per key: Each key gets a unique salt automatically
✅ Preview optimization: Reduces bcrypt operations by filtering candidates
✅ Constant-time comparison: Bcrypt prevents timing attacks
✅ No plaintext storage: Keys are hashed immediately after generation
✅ Key preview: Only first 3 and last 3 characters are shown in responses
Set master API key in environment variable (GL_DEEP_RESEARCH_MASTER_API_KEY)
Create an account using POST /v1/accounts/ with master key
Save the API key returned in the response (only returned once!)
Use the account API key in X-API-Key header for research and task endpoints
Use the master API key for administrative operations (accounts, profiles)
Last updated
