API Tokens
Authenticate your API requests using Personal Access Tokens (PATs). Tokens provide secure, scoped access to the Lexic API.
Personal Access Tokens (PATs)
Token Format
Lexic tokens follow a structured format for easy identification:
Example: pat_abc12def_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Security
- β’Shown once at creation β Copy your token immediately. You won't be able to see the full token again.
- β’Prefix visible later β The 8-character prefix remains visible in your dashboard for identification.
- β’SHA-256 hashed storage β Tokens are cryptographically hashed before storage. We never store plaintext tokens.
Using Tokens
Authorization Header
Include your token in the Authorization header using the Bearer scheme:
# cURL example curl -X GET https://api.lexic.io/v1/notes \ -H "Authorization: Bearer pat_abc12def_..."
JavaScript Example
const response = await fetch('https://api.lexic.io/v1/notes', { headers: { 'Authorization': `Bearer ${PAT_TOKEN}`, 'Content-Type': 'application/json' } });
Token Limits
10
Maximum tokens per user
7 days
Default expiration
30 days
Maximum expiration
Note: Expired tokens are automatically revoked. Create a new token before expiration to maintain uninterrupted access.
Available Scopes
Scopes define what actions a token can perform. Apply the principle of least privilege β only grant the scopes your integration needs.
| Scope | Description |
|---|---|
read | Read-only access to all resources |
write | Create and update access |
admin | Full administrative access |
notes:create | Create notes only |
notes:update | Update notes only |
notes:delete | Delete notes only |
workspaces:manage | Workspace administration |
members:manage | Member administration |
analytics:view | View analytics data |
Wildcard Support
Use wildcards for broader scope matching when you need access to all operations within a resource category.
notes:*βMatches notes:create, notes:update, and notes:deleteWhen to use wildcards
- βYour integration needs full CRUD on a resource
- βYou want automatic access to new operations added later
When NOT to use wildcards
- βYou only need read access
- βYou want to limit blast radius if token is compromised
Architecture Note
For DevelopersLexic's AI processing (entity extraction, embedding generation, connection discovery) runs asynchronously via a job queue. This architecture ensures API responses remain fast while heavy processing happens in the background.
Callback URLs
The API supports optional callback URLs for job status notifications. When creating or updating notes, you can provide a webhook URL to receive processing completion events.
POST /v1/notes { "content": "Your note content...", "callback_url": "https://your-app.com/webhooks/lexic" }
Need help? Contact support for integration assistance with async workflows. We can help design the right callback pattern for your use case.
Security Best Practices
Never commit tokens to version control
Use environment variables or secret management tools.
Use the minimum required scopes
Only request scopes your integration actually needs.
Rotate tokens regularly
Create new tokens before expiration and revoke old ones.
Monitor token usage
Check audit logs for unexpected activity patterns.