Exa Enterprise RBAC
Overview
Manage access to Exa AI search API through API key scoping and team-level controls. Exa is an API-first product with per-search pricing, so access control centers on API key management, rate limiting, and domain restrictions rather than traditional user roles.
Prerequisites
-
Exa API account with team plan
-
Dashboard access at dashboard.exa.ai
-
At least one API key with management permissions
Instructions
Step 1: Create Scoped API Keys per Use Case
set -euo pipefail
Create a key for the RAG pipeline (high volume, neural search only)
curl -X POST https://api.exa.ai/v1/api-keys
-H "Authorization: Bearer $EXA_ADMIN_KEY"
-d '{
"name": "rag-pipeline-prod",
"allowed_endpoints": ["search", "get-contents"],
"rate_limit_rpm": 300, # 300: timeout: 5 minutes
"monthly_search_limit": 50000 # 50000ms = 50 seconds
}'
Create a restricted key for the internal tool (low volume)
curl -X POST https://api.exa.ai/v1/api-keys
-H "Authorization: Bearer $EXA_ADMIN_KEY"
-d '{
"name": "internal-research-tool",
"rate_limit_rpm": 30,
"monthly_search_limit": 5000 # 5000: 5 seconds in ms
}'
Step 2: Implement Key-Based Access in Your Gateway
// exa-proxy.ts - Route requests through your gateway const KEY_PERMISSIONS: Record<string, { maxResults: number; allowedTypes: string[] }> = { 'rag-pipeline': { maxResults: 10, allowedTypes: ['neural', 'auto'] }, 'research-tool': { maxResults: 25, allowedTypes: ['neural', 'keyword', 'auto'] }, 'marketing-team': { maxResults: 5, allowedTypes: ['keyword'] }, };
function validateRequest(keyName: string, searchType: string, numResults: number): boolean { const perms = KEY_PERMISSIONS[keyName]; if (!perms) return false; return perms.allowedTypes.includes(searchType) && numResults <= perms.maxResults; }
Step 3: Set Domain Restrictions
Restrict search results to approved domains for compliance-sensitive teams:
set -euo pipefail
Only allow searches from vetted sources
curl -X POST https://api.exa.ai/search
-H "x-api-key: $EXA_API_KEY"
-d '{
"query": "enterprise security best practices",
"includeDomains": ["nist.gov", "owasp.org", "sans.org"],
"numResults": 10
}'
Step 4: Monitor Usage and Rotate Keys
set -euo pipefail
Check usage per API key
curl https://api.exa.ai/v1/usage
-H "Authorization: Bearer $EXA_ADMIN_KEY" |
jq '.keys[] | {name, searches_this_month, cost_usd}'
Rotate a key (create new, then delete old)
NEW_KEY=$(curl -s -X POST https://api.exa.ai/v1/api-keys
-H "Authorization: Bearer $EXA_ADMIN_KEY"
-d '{"name": "rag-pipeline-prod-v2"}' | jq -r '.key')
echo "Update services with new key, then delete old key"
Error Handling
Issue Cause Solution
401 on search Invalid or revoked API key Regenerate key in dashboard
429 rate limited
Exceeded RPM on key Increase rate limit or add request queue
Monthly limit hit Search budget exhausted Upgrade plan or wait for billing cycle reset
Empty results Domain filter too restrictive Widen includeDomains or remove filter
Examples
Basic usage: Apply exa enterprise rbac to a standard project setup with default configuration options.
Advanced scenario: Customize exa enterprise rbac for production environments with multiple constraints and team-specific requirements.
Output
-
Configuration files or code changes applied to the project
-
Validation report confirming correct implementation
-
Summary of changes made and their rationale
Resources
-
Official Exa Enterprise Rbac documentation
-
Community best practices and patterns
-
Related skills in this plugin pack