Clarify DISTILL_API_KEYS usage for self-hosted auth

Siddhant-K-code · Siddhant-K-code · commit a3216ef61daf · 2026-01-01T07:49:20.000Z
- Explain it's for protecting self-hosted instances
- Add example for generating random API key
- Show how to include key in requests
diff --git a/README.md b/README.md
@@ -198,9 +198,32 @@ distill query     # Test a query from command line
 OPENAI_API_KEY      # For text → embedding conversion (see note below)
 PINECONE_API_KEY    # For Pinecone backend
 QDRANT_URL          # For Qdrant backend (default: localhost:6334)
-DISTILL_API_KEYS    # Comma-separated API keys for auth (optional)
+DISTILL_API_KEYS    # Optional: protect your self-hosted instance (see below)
 ```
 
+### Protecting Your Self-Hosted Instance
+
+If you're exposing Distill publicly, set `DISTILL_API_KEYS` to require authentication:
+
+```bash
+# Generate a random API key
+export DISTILL_API_KEYS="sk-$(openssl rand -hex 32)"
+
+# Or multiple keys (comma-separated)
+export DISTILL_API_KEYS="sk-key1,sk-key2,sk-key3"
+```
+
+Then include the key in requests:
+
+```bash
+curl -X POST http://your-server:8080/v1/dedupe \
+  -H "Authorization: Bearer sk-your-key" \
+  -H "Content-Type: application/json" \
+  -d '{"chunks": [...]}'
+```
+
+If `DISTILL_API_KEYS` is not set, the API is open (suitable for local/internal use).
+
 ### About OpenAI API Key
 
 **When you need it:**
