API Keys
Create, list, and revoke project-scoped API keys.
API keys provide project-scoped access for public widget delivery. All management endpoints require JWT authentication.
Create API key
POST
/api/projects/{projectId}/api-keysJWTRequest body
| Name | Type | Default | Description |
|---|---|---|---|
name* | string | — | Descriptive name for the key |
permissions | string | READ | Permission level: READ or READ_WRITE |
expiresAt | datetime | — | Optional expiration timestamp (ISO 8601) |
Request
{
"name": "Android App Key",
"permissions": "READ",
"expiresAt": "2026-12-31T23:59:59"
}Response 201
Response
{
"id": "bb0e8400-e29b-41d4-a716-446655440000",
"name": "Android App Key",
"key": "pk_550e8400e29b41d4a716446655440000",
"keyPrefix": "pk_550e84",
"permissions": "READ",
"createdAt": "2026-01-15T10:30:00"
}Save the key immediately
The key field contains the full API key and is only returned in this response. It is hashed before storage and cannot be retrieved again.
List API keys
GET
/api/projects/{projectId}/api-keysJWTResponse 200
Response
[
{
"id": "bb0e8400-e29b-41d4-a716-446655440000",
"projectId": "770e8400-e29b-41d4-a716-446655440000",
"name": "Android App Key",
"keyPrefix": "pk_550e84",
"permissions": "READ",
"lastUsed": "2026-01-20T14:30:00",
"expiresAt": "2026-12-31T23:59:59",
"createdAt": "2026-01-15T10:30:00"
}
]The list endpoint only returns the keyPrefix, never the full key. Use the prefix to identify keys in the dashboard.
Revoke API key
DELETE
/api/projects/{projectId}/api-keys/{keyId}JWTResponse 204
No content. The key is immediately invalidated.