All management endpoints on this page are [User] only. Organization members may list and inspect keys;
owner and billing_admin are required to create or revoke them.Endpoints
| Method | Path | Description | Auth |
|---|---|---|---|
POST | /api-keys | Create an API key | [User] admin |
GET | /api-keys?environment_id= | List keys in an environment | [User] |
GET | /api-keys/:id | Get key metadata | [User] |
DELETE | /api-keys/:id | Revoke a key | [User] admin |
How access is resolved
| Access dimension | Behavior |
|---|---|
| Environment | A key is permanently bound to one environment and cannot reach resources in another environment. |
tenant_ids | Optional tenant allowlist. An empty array grants access to every tenant in the environment; a non-empty array limits the key to those tenants. |
knowledge_base_ids | Optional knowledge-base allowlist that narrows access within the allowed tenants. An empty array does not add a knowledge-base restriction. |
scopes | Permission scopes such as tenants:read, documents:write, skills:read, or query:rag. |
Create an API key
POST /api-keys
Environment to bind the key to.
Human-readable key name.
Scopes to grant. If omitted or empty, the key receives the default tenant, knowledge-base, document, and RAG scopes described below.
Tenant allowlist. Every ID must belong to
environment_id. Omit or pass [] for all tenants in the environment.Knowledge-base allowlist. Every ID must belong to the environment and, when
tenant_ids is non-empty, to one of those tenants.Optional lifetime from 1 to 365 days. Keys without this field do not receive an API-configured expiration.
apiKey and the complete secret in rawKey.
Key prefixes
| Prefix | Environment types |
|---|---|
sk_live_ | production, personal |
sk_test_ | dev, staging, custom |
scopes is omitted or empty, the key receives:
admin:full is a wildcard permission scope: it satisfies every API-key scope check, but it does not make a key eligible for user-session-only endpoints or let it cross its environment boundary. It also makes tenant discovery return every tenant in the environment, regardless of tenant_ids. Prefer explicit least-privilege scopes for production integrations.List API keys
GET /api-keys
Returns key metadata, never complete secret values.
Environment whose keys to list.
Get an API key
GET /api-keys/:id
API key ID, not the secret value.
rawKey.
Revoke an API key
DELETE /api-keys/:id
API key ID to revoke.
Next steps
Authentication
Send keys safely and choose the right caller type.
Access & scopes
Build a least-privilege scope set.
Current caller
Inspect a key’s effective environment and allowlists.