Add Api Token docs

[Piroddi]

Summary by CodeRabbit

Documentation

• New Security section (paid plans only) featuring access control configurations
• API Key Authentication documentation with bearer token examples, including 401 Unauthorized error handling
• Clarified that security rules apply per indexer/project and persist across deployments
• Consolidated IP Whitelisting documentation under the Security section

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
envio-docs	Ready	Preview, Comment	Jun 12, 2026 2:02pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates Security configuration documentation across both HyperIndex and HyperIndexV2 hosted service guides. A new Security section replaces the prior standalone IP Whitelisting documentation, clarifying that security rules apply per indexer (project) rather than per deployment, documenting paid-plan availability, and introducing API Key Authentication with bearer token header usage examples and 401 Unauthorized response details.

Changes

Security Configuration Documentation

Layer / File(s)

Summary

Security section with IP Whitelisting and API Key Authentication docs/HyperIndex/Hosted_Service/hosted-service-features.md, docs/HyperIndexV2/Hosted_Service/hosted-service-features.md

Both hosted service documentation files establish a unified Security section covering IP Whitelisting and API Key Authentication as complementary access-control mechanisms. Documentation clarifies that configuration is per indexer (project), not per deployment, notes paid-plan availability, expands IP Whitelisting descriptions, and adds API Key Authentication usage instructions including the Authorization: Bearer <api-key> header format, 401 Unauthorized behavior for invalid/missing keys, and related security benefits.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions only 'Api Token docs' but the changeset encompasses both API Key Authentication and IP Whitelisting documentation across two files, with a reorganized Security section as the main structural change.	Update the title to reflect the full scope of changes, such as 'Add security documentation for API keys and IP whitelisting' or 'Document Security features including API key authentication and IP whitelisting'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/HyperIndex/Hosted_Service/hosted-service-features.md`:
- Around line 63-80: The doc currently recommends using a shared API key for
"browser-based dApps and frontends" which is unsafe; update the text around the
"recommended option for browser-based dApps and frontends" and the
Authorization/Bearer example to explicitly prohibit embedding the API key in
client-side code and instead recommend a server-side/proxy flow (or short-lived
per-user tokens) that injects the Bearer token on behalf of clients; keep the
curl example as a server-side usage example and add a short note: "Do not expose
this key in browser code — use a trusted backend or proxy to attach
Authorization headers."

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 69771268-c670-41a7-b542-529f164def3b

📥 Commits

Reviewing files that changed from the base of the PR and between df5c3de and 0942a9a.

📒 Files selected for processing (2)

• docs/HyperIndex/Hosted_Service/hosted-service-features.md
• docs/HyperIndexV2/Hosted_Service/hosted-service-features.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don’t recommend a shared API key for browser clients.

The “recommended option for browser-based dApps and frontends” wording is unsafe: if this bearer token is embedded client-side, any user can extract and reuse it. Please reframe this as a server-side/proxy flow or explicitly state that the key must never be exposed in the browser.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/HyperIndex/Hosted_Service/hosted-service-features.md` around lines 63 -
80, The doc currently recommends using a shared API key for "browser-based dApps
and frontends" which is unsafe; update the text around the "recommended option
for browser-based dApps and frontends" and the Authorization/Bearer example to
explicitly prohibit embedding the API key in client-side code and instead
recommend a server-side/proxy flow (or short-lived per-user tokens) that injects
the Bearer token on behalf of clients; keep the curl example as a server-side
usage example and add a short note: "Do not expose this key in browser code —
use a trusted backend or proxy to attach Authorization headers."