From 5cad527876f702236f2d45eeca6af55977c2e869 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Tue, 16 Jun 2026 17:55:19 +0000
Subject: [PATCH 1/4] docs: warn against exposing assistant API key client-side
---
api/introduction.mdx | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/api/introduction.mdx b/api/introduction.mdx
index a163fdebf0..0ea15302e7 100644
--- a/api/introduction.mdx
+++ b/api/introduction.mdx
@@ -60,3 +60,9 @@ The assistant API key is a public token that you can reference in frontend code.
Calls using the assistant API token can incur costs: either using your assistant credits or incurring overages.
+
+
+ Do not expose your assistant API key directly in client-side code in production. Anyone with the key can consume your assistant credits and incur overage charges.
+
+ Instead, proxy assistant API requests through your own backend so that the key stays server-side. This also lets you implement your own rate limiting, authentication, and bot protection to prevent abuse.
+
From e1de44e5cad1a2f31ad5a45d529a4d3139740022 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Tue, 16 Jun 2026 18:13:36 +0000
Subject: [PATCH 2/4] docs: refine assistant API key security warning copy
---
api/introduction.mdx | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/api/introduction.mdx b/api/introduction.mdx
index 0ea15302e7..6fe8252cee 100644
--- a/api/introduction.mdx
+++ b/api/introduction.mdx
@@ -62,7 +62,7 @@ The assistant API key is a public token that you can reference in frontend code.
- Do not expose your assistant API key directly in client-side code in production. Anyone with the key can consume your assistant credits and incur overage charges.
+ Although the assistant API key is designed to be public, avoid embedding it directly in client-side code in production. Any visitor who extracts the key can send requests on your behalf, consuming assistant credits and triggering overage charges.
- Instead, proxy assistant API requests through your own backend so that the key stays server-side. This also lets you implement your own rate limiting, authentication, and bot protection to prevent abuse.
+ For production deployments, proxy assistant API requests through your own backend and store the key as a server-side environment variable. Routing requests through a proxy also lets you add rate limiting, authentication, and bot protection to prevent abuse.
From 009b6dfdad891e7eab10b90380de194bbbf625d5 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Tue, 16 Jun 2026 20:32:03 +0000
Subject: [PATCH 3/4] docs: move assistant API key warning to top of section
---
api/introduction.mdx | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/api/introduction.mdx b/api/introduction.mdx
index 6fe8252cee..79dc600b5d 100644
--- a/api/introduction.mdx
+++ b/api/introduction.mdx
@@ -51,6 +51,12 @@ The admin API key is a server-side secret. Do not expose it in client-side code.
### Assistant API key
+
+ Although the assistant API key is designed to be public, avoid embedding it directly in client-side code in production. Any visitor who extracts the key can send requests on your behalf, consuming assistant credits and triggering overage charges.
+
+ For production deployments, proxy assistant API requests through your own backend and store the key as a server-side environment variable. Routing requests through a proxy also lets you add rate limiting, authentication, and bot protection to prevent abuse.
+
+
Use the assistant API key to authenticate requests to [Create assistant message](/api/assistant/create-assistant-message-v2), [Search documentation](/api/assistant/search), and [Get page content](/api/assistant/get-page-content) endpoints.
Assistant API keys begin with the `mint_dsc_` prefix.
@@ -60,9 +66,3 @@ The assistant API key is a public token that you can reference in frontend code.
Calls using the assistant API token can incur costs: either using your assistant credits or incurring overages.
-
-
- Although the assistant API key is designed to be public, avoid embedding it directly in client-side code in production. Any visitor who extracts the key can send requests on your behalf, consuming assistant credits and triggering overage charges.
-
- For production deployments, proxy assistant API requests through your own backend and store the key as a server-side environment variable. Routing requests through a proxy also lets you add rate limiting, authentication, and bot protection to prevent abuse.
-
From 633b48efc0980763041cc7121ffac6180fce0993 Mon Sep 17 00:00:00 2001
From: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
Date: Tue, 16 Jun 2026 13:35:16 -0700
Subject: [PATCH 4/4] Update api/introduction.mdx
---
api/introduction.mdx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/api/introduction.mdx b/api/introduction.mdx
index 79dc600b5d..28a44b2308 100644
--- a/api/introduction.mdx
+++ b/api/introduction.mdx
@@ -52,7 +52,7 @@ The admin API key is a server-side secret. Do not expose it in client-side code.
### Assistant API key
- Although the assistant API key is designed to be public, avoid embedding it directly in client-side code in production. Any visitor who extracts the key can send requests on your behalf, consuming assistant credits and triggering overage charges.
+ Do not directly embed the assistant API key in client-side code. Any visitor who extracts the key can send requests on your behalf, consuming credits and potentially triggering overage charges.
For production deployments, proxy assistant API requests through your own backend and store the key as a server-side environment variable. Routing requests through a proxy also lets you add rate limiting, authentication, and bot protection to prevent abuse.