Agents & API

Set up AI assistants safely in RailsPress using one-time agent keys and managed API access.

Configuration

Agents & API is opt-in. Enable API access in your RailsPress initializer before using this page.

config/initializers/railspress.rb
Railspress.configure do |config|
  config.enable_api
  config.current_api_actor_method = :current_user
end

API key and bootstrap key secrets are encrypted with Active Record Encryption. Configure your app encryption keys before issuing keys in admin.

See Configuration and API Overview for full setup details.

What Is Agents & API?

Agents & API is the admin area where you create and manage credentials for automation tools and AI assistants.

Open it from the admin sidebar at /railspress/admin/api_keys.

This page includes:

  • Generic assistant setup instructions
  • Direct API keys for integrations
  • One-time bootstrap keys for assistant onboarding
  • Status and usage details for existing keys

Create an Agent Key

Use an Agent Key when you want to onboard an assistant without sharing a long-lived token directly.

01

Open Agents & API

Go to the key management page from the RailsPress admin sidebar.

02

Click "New Agent Key"

Give the key a clear name like "Editorial Assistant - April".

03

Set expiration

Keep the default short expiration or set a specific end time for the task window.

Share Setup Instructions

After creating a key, RailsPress shows one-time setup instructions. Copy those instructions into your assistant tool.

Use this flow for least privilege in practice:

  • Assistant receives a short-lived bootstrap key.
  • Assistant exchanges it once for a working API key.
  • Bootstrap key is marked used and cannot be reused.
Important

Token values are shown once. Save only in approved secret storage and avoid posting tokens in chat or tickets.

Monitor and Revoke Keys

Use key status to control access:

  • Active: Key can still be used.
  • Used: Bootstrap key has already been exchanged.
  • Expired: Key timed out and no longer works.
  • Revoked: Access manually removed.

Revoke keys immediately if a session ends early or credentials were shared in the wrong place.

Safe Team Workflow

  1. Create a unique key per assistant session or automation job.
  2. Name keys by owner and purpose so audits are clear.
  3. Prefer short expiration windows for temporary work.
  4. Rotate or revoke keys during handoffs and role changes.
  5. Review key list regularly and remove stale credentials.
Tip

For recurring workflows, keep one documented runbook that includes key creation, verification, and revocation steps.