Brinpage

Authentication

Brinpage Platform’s API is authenticated using a license key. You include it in the request header as a standard Bearer token. Your key is effectively your “workspace access” token — treat it like a password.

The only rule that matters

Never call Brinpage directly from the browser. Always call Brinpage from a trusted server (your backend / API route / serverless function). The browser should only talk to your own backend endpoint.

1) Store the license key server-side

Put the key in your server environment. Never ship it to the client.

.env
# Server-side only
BRINPAGE_LICENSE_KEY="bp_xxxx"

# Optional (default shown)
BRINPAGE_API_BASE="https://platform.brinpage.com"

2) Send the header

Every Brinpage SDK request uses:

http
Authorization: Bearer <YOUR_LICENSE_KEY>

If the key is missing or invalid, the API responds with 401 Unauthorized.

3) Direct test (server-to-Brinpage)

Use curl from a trusted environment (your machine/server) to validate the key.

bash
curl -X POST https://platform.brinpage.com/api/sdk/ask \
  -H "Authorization: Bearer $BRINPAGE_LICENSE_KEY" \
  -H "Content-Type: application/json" \
  -d '{"question":"Hello from Brinpage","stream":false}'

Recommended production pattern

Put a thin “gateway” endpoint in your backend. The browser calls your endpoint; your endpoint calls Brinpage with the license key. This prevents accidental key leaks and gives you a place to add logging, rate limits, validation, and caching if needed.

Browser → Your API → Brinpage

Your API holds the key. The browser never sees it.

Example gateway (Node/Express)

Minimal example showing the idea (same concept in PHP/Python/Next.js).

javascript
import express from "express";

const app = express();
app.use(express.json());

app.post("/api/brinpage/ask", async (req, res) => {
  const question = String(req.body?.question || "").trim();
  if (!question) return res.status(400).json({ ok: false, error: "Missing question" });

  const r = await fetch("https://platform.brinpage.com/api/sdk/ask", {
    method: "POST",
    headers: {
      "Authorization": `Bearer ${process.env.BRINPAGE_LICENSE_KEY}`,
      "Content-Type": "application/json",
      "Accept": "application/json",
    },
    body: JSON.stringify({ question, stream: false }),
  });

  const data = await r.json().catch(() => ({}));
  if (!r.ok) return res.status(r.status).json({ ok: false, error: data?.error || "request_failed" });

  return res.json({ ok: true, answer: data.answer, raw: data });
});

app.listen(3000);

Key rotation & security basics

  • Treat the key like a password: don’t paste it into screenshots, client code, or public repos.
  • If you suspect a leak, rotate the key in Platform and update your server environment immediately.
  • Keep timeouts sane (e.g., 30s) and validate user input before calling Brinpage.
  • In production, prefer server-to-server calls only (no direct mobile/web calls with the key).
Installation GuidesNext: RAG Concepts

You can now safely call Brinpage from any backend. Next we’ll cover how RAG works in Brinpage and how tags / retrieval knobs affect results.