PokeePokee Enterprise API

Authentication & access

Bearer token plus enterprise-grade authentication and network controls available on request.

A single bearer token, provided by Pokee at provisioning. Stored in your secret manager of choice. Rotation is operator-side; ask Pokee if you need to rotate.

Authorization: Bearer pk_<tenant>_<32-byte-hex>

The token is scoped to your tenant. Anything you can do with it stays within your dedicated sandbox — there is no cross-tenant access surface.

Default access

Every tenant gets:

  • Dedicated subdomainyour-tenant.enterprise.pokee.ai. The hostname is yours; no shared API endpoint.
  • TLS 1.2+ — managed certificates, auto-renewed.
  • Bearer token — issued at provisioning, rotatable on request.

Available controls

The following are available on request when your security team requires them. Most can be provisioned within hours by your Pokee account contact.

IP allowlist

Restrict which source IPs can call your endpoint. Implemented at the edge — non-allowlisted requests get a 403 before reaching the application. Useful when your callers come from a known corporate egress range.

Custom domain (vanity host)

Route requests through a hostname you control (e.g., api.acme.com) instead of your-tenant.enterprise.pokee.ai. Requires a CNAME and a domain validation record on your side; we handle TLS.

Static egress IPs

For webhooks or callbacks Pokee makes back to your services, we can pin a small set of static egress IPs that you allowlist on your side.

mTLS

Mutual TLS — client certificate authentication in addition to (or instead of) the bearer token. Pokee provisions the CA and per-tenant client certs; you present them on every request. Defends against bearer leakage.

Region pinning / data residency

Pin compute, storage, and inference to a specific region. Currently available: us-west-2, us-east-1, ap-southeast-1, ap-northeast-1. EU regions on request.

Operator portal SSO

The per-tenant documentation portal (docs.pokee.ai/customers/<your-tenant>) is gated by Cloudflare Access. Default: One-Time PIN to allowlisted emails. SAML / OIDC SSO with Okta, Azure AD, or Google Workspace is available on request.

Private connectivity

For tenants who can't expose API traffic to the public internet:

  • AWS PrivateLink — VPC endpoint into Pokee's region. No traffic crosses public IPs.
  • GCP Private Service Connect — equivalent for GCP-based tenants.

Lead time and pricing are case-by-case; reach out before scoping a deployment around private connectivity.

Need a control not listed here? Ask. Most enterprise asks have shipped on a per-tenant basis without requiring core API changes.

Quickstart

Create a session, send a message, stream the response.

Sessions

Sessions, lifecycle, and per-session file access scoping.

On this page

Default accessAvailable controlsIP allowlistCustom domain (vanity host)Static egress IPsmTLSRegion pinning / data residencyOperator portal SSOPrivate connectivity