These docs cover the S6S workflow engine — the developer playground layer underneath the product. For the main AI Visibility product (brand monitoring, the unified Report, fix actions), start at /docs/ai-visibility.
API Keys
Authenticate with the S6S API using Bearer tokens.
What are API keys?
API keys are Bearer tokens that authenticate your requests to the S6S API. Every call to the /api/v1/* endpoints requires a valid API key. Keys are scoped to your account — any workflow you deploy or run with a key belongs to your account.
Creating an API key
- Sign in to s6s.ai.
- Navigate to API Keys in the sidebar.
- Click Create API Key and give it a descriptive name (e.g. “production” or “ci-pipeline”).
- Copy the key immediately. It starts with
s6s_and is only shown once.
Important
If you lose your key, you cannot retrieve it. Create a new one and delete the old key from the API Keys page.
Using your API key
Pass your API key as a Bearer token in the Authorization header. Here are examples for each integration method:
curl
curl https://s6s.ai/api/v1/workflows \ -H "Authorization: Bearer s6s_your_api_key"
MCP server configuration
{
"mcpServers": {
"s6s": {
"command": "npx",
"args": ["@s6s/mcp-server"],
"env": {
"S6S_API_KEY": "s6s_your_api_key",
"S6S_BASE_URL": "https://s6s.ai"
}
}
}
}TypeScript SDK
import { S6SClient } from "@s6s/sdk";
const client = new S6SClient({
apiKey: process.env.S6S_API_KEY!, // "s6s_your_api_key"
baseUrl: "https://s6s.ai", // optional, defaults to s6s.ai
});
const result = await client.deploy({
name: "My Workflow",
trigger: { type: "manual" },
steps: [{ ref: "hello", action: "transform", config: { template: { msg: "hi" } } }],
flow: ["hello"],
});
console.log(result.runId);Environment variable
export S6S_API_KEY=s6s_your_api_key
Both the SDK and MCP server read from S6S_API_KEY by default when no key is passed explicitly.
Security best practices
- Never commit keys to git. Add
.envto your.gitignoreand use environment variables in CI/CD. - Use environment variables. Store your key in
S6S_API_KEYrather than hardcoding it in source files. - Rotate keys if compromised. If you suspect a key has been exposed, delete it immediately from the API Keys page and create a new one.
- Each key is scoped to your account. Anyone with your key can deploy and run workflows as you. Treat it like a password.
Rate limits
The S6S API enforces rate limits to ensure fair usage and platform stability:
| Endpoint | Limit | Window |
|---|---|---|
| POST /workflows/deploy | 30 requests | per minute, per IP |
| POST /api/webhooks/* | 60 requests | per minute, per IP, per path |
| All other endpoints | 120 requests | per minute, per IP |
When you exceed a rate limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating how many seconds to wait before retrying.
HTTP/1.1 429 Too Many Requests
Retry-After: 12
Content-Type: application/json
{
"error": "rate_limit_exceeded",
"message": "Too many requests. Retry after 12 seconds."
}